Analysis Overview
SHA256
98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73
Threat Level: Known bad
The file 12c82b718d17020e6668fec1d50ae021_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Adds policy Run key to start application
Disables RegEdit via registry modification
Checks computer location settings
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 17:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 17:18
Reported
2024-06-26 17:20
Platform
win7-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inyeft = "ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ibaujlbvliscxxtnnsex.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "vnlestibqmveyxslkoz.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "vnlestibqmveyxslkoz.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "kbyqddrjxsaibztljm.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\orae = "xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnlestibqmveyxslkoz.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "vnlestibqmveyxslkoz.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrrmcfwrigrcyzwrsylff.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brneqpctgahogdwnk.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\udschzfpvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\orae = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibaujlbvliscxxtnnsex.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "ibaujlbvliscxxtnnsex.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "ibaujlbvliscxxtnnsex.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjxgkbgpu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujeufdpfrkqwnjbr.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xblqq = "xrrmcfwrigrcyzwrsylff.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\vbnuwlo = "ujeufdpfrkqwnjbr.exe" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\krempfjr = "kbyqddrjxsaibztljm.exe ." | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Windows\SysWOW64\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Windows\SysWOW64\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Program Files (x86)\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ujeufdpfrkqwnjbr.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\vnlestibqmveyxslkoz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\brneqpctgahogdwnk.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ojkgxbtphgsebdbxzgupqm.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\kbyqddrjxsaibztljm.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\xrrmcfwrigrcyzwrsylff.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Windows\cdkmjtrtrwogjrvxfsmnuwtd.dbg | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File created | C:\Windows\lxpckfobkadguncpiglxpckfobkadguncpi.lxp | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| File opened for modification | C:\Windows\ibaujlbvliscxxtnnsex.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
"C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
"C:\Users\Admin\AppData\Local\Temp\vbnuwlo.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.179.238:80 | www.youtube.com | tcp |
| ZA | 41.151.132.154:30029 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | jrwykqq.net | udp |
| US | 8.8.8.8:53 | ywjytvmz.net | udp |
| ZA | 41.151.132.154:30029 | tcp | |
| US | 8.8.8.8:53 | vmhhrib.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | bigmrsg.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | thtzwllqvjjg.info | udp |
| US | 8.8.8.8:53 | zrdjzfpso.net | udp |
| US | 8.8.8.8:53 | tqbsamossau.org | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | lebcyqd.com | udp |
| US | 8.8.8.8:53 | aterzo.net | udp |
| US | 8.8.8.8:53 | mowyegya.org | udp |
| US | 8.8.8.8:53 | datrxkxgvqhi.net | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | dicsfwql.info | udp |
| US | 8.8.8.8:53 | dqlfhoz.org | udp |
| US | 8.8.8.8:53 | joqukgtsi.com | udp |
| US | 8.8.8.8:53 | assgayckue.org | udp |
| US | 8.8.8.8:53 | dglapaaeb.info | udp |
| US | 8.8.8.8:53 | qaxyvsymzas.info | udp |
| US | 8.8.8.8:53 | gybkkuekoig.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | wchjzwzahue.net | udp |
| US | 8.8.8.8:53 | pvpebmdt.net | udp |
| US | 8.8.8.8:53 | difoyoiwkq.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | eoagosgwciko.org | udp |
| US | 8.8.8.8:53 | ydvrme.net | udp |
| US | 8.8.8.8:53 | ouumqemi.com | udp |
| US | 8.8.8.8:53 | dqarln.info | udp |
| US | 8.8.8.8:53 | hzveejfiyuj.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | ynnsxknyv.info | udp |
| US | 8.8.8.8:53 | jinzhwrsqi.info | udp |
| US | 8.8.8.8:53 | sfbvncka.net | udp |
| US | 8.8.8.8:53 | ncusnlcx.info | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | lzmkqyueh.info | udp |
| US | 8.8.8.8:53 | mokcscyg.com | udp |
| US | 8.8.8.8:53 | nvpsroxs.net | udp |
| US | 8.8.8.8:53 | nbwpnwtp.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | fzfetmzob.com | udp |
| US | 8.8.8.8:53 | hfreyramirlz.info | udp |
| US | 8.8.8.8:53 | kgcqac.org | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | bkzwvij.info | udp |
| US | 8.8.8.8:53 | nefmpo.net | udp |
| US | 8.8.8.8:53 | qqmcgygssm.com | udp |
| US | 8.8.8.8:53 | yaoqkiwwme.org | udp |
| US | 8.8.8.8:53 | fqzwnde.net | udp |
| US | 8.8.8.8:53 | kbcmkiqa.net | udp |
| US | 8.8.8.8:53 | ukyimmqeguge.com | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | eqyaym.org | udp |
| US | 8.8.8.8:53 | krufud.info | udp |
| US | 8.8.8.8:53 | lriyqqd.com | udp |
| US | 8.8.8.8:53 | ialwjmfwl.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
Files
\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
| MD5 | 492e48e205d31d05c9912850001d9a30 |
| SHA1 | be4f248cd3f2df7701e28becfa0be3f6caf9e55a |
| SHA256 | a212eb2aeb534dc6b9b1dfc06016e55a54a2375b88fbdcd99d386ccd28987c15 |
| SHA512 | bae5e3f1e7805b3f847a3e0db78ce729ef1edbb111123c95719c4c824affa03f74aa6d8988cb68923865c5668256c7679bb7762ef075adb14a0d375e11020443 |
C:\Windows\SysWOW64\kbyqddrjxsaibztljm.exe
| MD5 | 12c82b718d17020e6668fec1d50ae021 |
| SHA1 | 53e81b3546eea831169150f94fbe8b44ceeef862 |
| SHA256 | 98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73 |
| SHA512 | 9ec86d72c5d8655e894448f838e35ac0bf85bff4bf98d0430c749560fb84370d850f979473524c507adabf1d2034776ac43ccc7f36cb9ab818f3197ac45ba309 |
\Users\Admin\AppData\Local\Temp\vbnuwlo.exe
| MD5 | bb892b9135eaefbc46a415a53003ee46 |
| SHA1 | 88d46b5f5e25c2c7439bf042a6d73ccf0d794ec6 |
| SHA256 | 587084b72372e3c31602e7a9f89b48764b56fefb09367c389507c70bce07148b |
| SHA512 | 193ed47f02452586f7e41776d5cdd1e24fb2a5c12db9f0b05467db5fce887b00387497a234e96b56f79cd135761d94c8399dd6a9e2ab570077bfbf81093f28f1 |
C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | 4f3cf96a461d7503cfbb8490cc18896c |
| SHA1 | ef9246dd53c9b42c4e20d89d9bc31791aa4e681c |
| SHA256 | 023bc7189f6d0ef73e7627a9fd444068c06b4dcb1024147c3a2744a4d678562f |
| SHA512 | fb02ca10152b86d7fb404bf7fcfe8077e62e0251cb1ab08299844e86992b472b34c3a262ab64bbebf3417d3bbe88e97da82be9c82c34bb595d6919b1127538c4 |
C:\Users\Admin\AppData\Local\lxpckfobkadguncpiglxpckfobkadguncpi.lxp
| MD5 | f48c6dd8c6b5041801b5abb4659ba161 |
| SHA1 | d8430d4290526149136b8b60c2f71f12a3405fbb |
| SHA256 | d1791810f3ec339c1c479db2238266347e4a5a59d58efb6a8645139290561961 |
| SHA512 | d74b30d6fd9959027039b86e21b54c70196913728150eacfa0b34e3466fdbebf5acc1e36ac49762d8e832559efc5b19b480c0d874dea4e091c7888424d8bc88e |
C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | b1fba51febb58bef68bb4cc61bd9ea64 |
| SHA1 | 5d66e314631b57313a14212cf213723cc232b128 |
| SHA256 | 5019358177f832abd9c7d98e88fdb0f668c0050c98321a65f805d8642e294e6e |
| SHA512 | 8b8c1aa7a25e6b5e0bded56fdf92908bc30138f44bb49bffb0a8c211cd271a32538cf1b2311c4b0c01cda568cef1b9ed4fc88e232bb1365c4ed8936338f324b5 |
C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | 6cc3651bce4acadf871874ce64a5a75d |
| SHA1 | 2fc9f0cb540dc440faaca251c207d5bdf8ed0751 |
| SHA256 | fbbac591cd708aa8766fa5951c96b480881d9aabf8f803ddedfbcb3257cb0c8d |
| SHA512 | def98e607da901e16c98565e60f71e7c5eaa1c42ea604d1de9a6298347f8a159fb6e104e20ff1455e246a7f929dea2efcb3a6b53222f7db35e72566790eec668 |
C:\Program Files (x86)\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | 741777248c358034e2aac219b9cf406c |
| SHA1 | 7009c7a6806557bdc523bcacbda2f0bec33dc5c1 |
| SHA256 | d2af533e057f7bb5df6a69b189c4ec148a919a9d5503c2a111810584e87a5229 |
| SHA512 | 15ea8e4fc61258101822ac3c9819ac4feb5aa80770d147e506d8f5438fef451ad53422e20e5b0c7c079bd83626802794d91e74743edef530cadb846698896373 |
C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | b8037c8bf948eaa7fa3cf21f18132fea |
| SHA1 | 253692289d0697161b0230303770129413a611cf |
| SHA256 | da99d0b5ba8628ed7280da7ec34789ce77b55b92436a521c7777a3fea908d7dc |
| SHA512 | 8bfe8ef8056e8340337c84c0cecc42d84e1451620fbe737056b60c3252e9a682babe4cc21ff53116f13db7bac12b700ed9d02ea4550ab448bbabf030a56fe462 |
C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | f905dcd5c95bd1d5433946ed311e96c5 |
| SHA1 | f06d7ca66b0f8800ca0c2c5781f76a7af4cdd5b9 |
| SHA256 | 170ce6ebabce47e4681c1fde674ba82b17e900ac88582bc74504b11975471282 |
| SHA512 | bc460a961b8b9e85cec96e75c7239db0b7397c2ac34c415fb59015cad6db31a452d2f99c333af0a13ef429e69889b54b7593d72147fc42c9a97a05ef58a6bb95 |
C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | ae827e3db1d451d8c13c64159abb084a |
| SHA1 | c1ecc66afe4fb72ff46ca1f491704b98c8036907 |
| SHA256 | 9b4568b6f2c76ed7b222235ef46d9c152d987a309833c1e7e21e3b963fa04068 |
| SHA512 | 9df6f08604324b0196847834b72a604b8bd8d52d68033774ce1224e39ecae117a9199297cf2eeb76425afc78a1d3cc3c8390e730e901c52f57df16f2ec009973 |
C:\Users\Admin\AppData\Local\cdkmjtrtrwogjrvxfsmnuwtd.dbg
| MD5 | 3ad13a2e960cb0e7eb2054523d89fdd4 |
| SHA1 | 08368c2862e2c03643f5eeffa881b075a90dc459 |
| SHA256 | f24dacf698a2fea8348c0875f8b6c0c881e4826a921c2d9dcd90b332cf79cc61 |
| SHA512 | b8742104a33073944b70c9db2a36276adca6801819604ed084a3de283a392511f57d594f2ff35d1e06938b81b839d77f8c82cde033ff84e53e18fcc1453b9dc1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 17:18
Reported
2024-06-26 17:20
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tiirbfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sknzmtaodo = "tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "zyibvjxsogtdwupml.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "vymjhzrqqmdroqpqtwkhf.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "givrofwutoernommoqdz.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "sqzrkxkezqcldauq.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "sqzrkxkezqcldauq.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "vymjhzrqqmdroqpqtwkhf.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "zyibvjxsogtdwupml.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "givrofwutoernommoqdz.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "zyibvjxsogtdwupml.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jekzpzjasgpvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\givrofwutoernommoqdz.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tugbxndayshtoolklmy.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "tugbxndayshtoolklmy.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgndufqibqahxs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyibvjxsogtdwupml.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqsdpvboc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vymjhzrqqmdroqpqtwkhf.exe ." | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngkxltbqgsz = "iitnixmifymxrqmkkk.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyzjuzeq = "sqzrkxkezqcldauq.exe" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kejxmveulygl = "iitnixmifymxrqmkkk.exe ." | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File created | C:\Windows\SysWOW64\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File created | C:\Windows\SysWOW64\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File created | C:\Program Files (x86)\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File created | C:\Program Files (x86)\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\sqzrkxkezqcldauq.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\iitnixmifymxrqmkkk.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\mqfdcvoopmetruuwaetrqj.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File created | C:\Windows\wexzczwafgcvxeiowexzcz.afg | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File created | C:\Windows\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\givrofwutoernommoqdz.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\tugbxndayshtoolklmy.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| File opened for modification | C:\Windows\vymjhzrqqmdroqpqtwkhf.exe | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| File opened for modification | C:\Windows\zyibvjxsogtdwupml.exe | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gutbkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12c82b718d17020e6668fec1d50ae021_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
"C:\Users\Admin\AppData\Local\Temp\gutbkn.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
"C:\Users\Admin\AppData\Local\Temp\gutbkn.exe" "-c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
"C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe" "c:\users\admin\appdata\local\temp\12c82b718d17020e6668fec1d50ae021_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| US | 8.8.8.8:53 | www.bbc.co.uk | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wiptgynegsz.exe
| MD5 | 3190d1519e362a1b068c45dc3e37bcb3 |
| SHA1 | af0b7d47f0af9ca6591d21d0ae5b428d27a869b8 |
| SHA256 | 580765128d698196b9c6eb7d75db1fc5beeca9c253cb59d6af0f7ec82b206a51 |
| SHA512 | 1a814ff08a11ee64d931a4b0485f1956e41dbb951ea531c8813787f1bd42dd1af4651db53f9c8c049eb4b4412f3fbaa8cc2f9177e9cb4ebeefd42b4c89a374ba |
C:\Windows\SysWOW64\iitnixmifymxrqmkkk.exe
| MD5 | 12c82b718d17020e6668fec1d50ae021 |
| SHA1 | 53e81b3546eea831169150f94fbe8b44ceeef862 |
| SHA256 | 98140f537a8e029289590e7935cb52e3f6c98035c298eea5c3b803504389bc73 |
| SHA512 | 9ec86d72c5d8655e894448f838e35ac0bf85bff4bf98d0430c749560fb84370d850f979473524c507adabf1d2034776ac43ccc7f36cb9ab818f3197ac45ba309 |
C:\Users\Admin\AppData\Local\Temp\gutbkn.exe
| MD5 | 94be5b4f83bffc9ea13acd2ecb6fbf4c |
| SHA1 | 760deaff132321233eb2a30d8620a001345dc6bb |
| SHA256 | 620457b94018399280b725764f5db073ae8d43dd5509f5440ea41998c4258230 |
| SHA512 | 9a92f39a0f2518682f072938a9c92e1e74e7ddbdeaf887a1d90daaf4f2e44682afee1e5ec629017213cd3ec52e579cc7480fedfcdbcdfe6febc3e81bef656cbb |
C:\Users\Admin\AppData\Local\wexzczwafgcvxeiowexzcz.afg
| MD5 | 10bc0dedcedeb3c5f4e5206f54037cc1 |
| SHA1 | 73241a5c1bae5520dd9f16d10a9b086e3b9bd47e |
| SHA256 | de784d8693b184a4da772ed2a7b7b273e82e73d2fe6a2ed88309f64b3e2a8999 |
| SHA512 | 6af6e21947394ccb0e04a93e56258454110c7c9c33f91cdf1a87492b5a64d7cb1121d555ba3c3dca3b703fbbbdb7b171e2b8fd57f6c8f44d02309614edd3ab71 |
C:\Users\Admin\AppData\Local\ngkxltbqgszdqixohaerfnvkamtxkcrib.ylz
| MD5 | 93f9972bc469197b15b04c608c8a9588 |
| SHA1 | 06f03e0f5bd3fdc4d049ff3f27754d4766382ee2 |
| SHA256 | 804e5d4fc439afa0e75654a0bf7ca1656691486a62df244c36096d078c3584a4 |
| SHA512 | 1370f469fe8809a9a2bfc44b60b1acb650ec0a58af7fbc50bb9c4d1f7d9004e38192cba79e95705979ec84b7fff697c561cf01c0513e57f76e7b2bd263cf8129 |