Malware Analysis Report

2025-03-15 00:53

Sample ID 240626-xzl2ps1hmn
Target 131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118
SHA256 fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad

Threat Level: Known bad

The file 131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 19:17

Reported

2024-06-26 19:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "xzmgefwplesryxcyltlna.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "urzohdpduirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "xzmgefwplesryxcyltlna.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "urzohdpduirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "ijvollbtogtrxvzugnef.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "vvgyutiztkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "ijvollbtogtrxvzugnef.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "kjtkfdrhaqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "bziyspcrjyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "ijvollbtogtrxvzugnef.exe ." C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\Windows\SysWOW64\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\Windows\SysWOW64\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Program Files (x86)\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\Program Files (x86)\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\hrmoudcdhielahuytjjtoqwfe.jkg C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\kjtkfdrhaqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ijvollbtogtrxvzugnef.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\xzmgefwplesryxcyltlna.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\orfazbtnkettbbhesbuxlg.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\bziyspcrjyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\vvgyutiztkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File created C:\Windows\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
File opened for modification C:\Windows\urzohdpduirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3464 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3464 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1792 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 1792 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 1792 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 1792 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 1792 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 1792 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
PID 3464 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3464 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3464 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vjioylo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\vjioylo.exe

"C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"

C:\Users\Admin\AppData\Local\Temp\vjioylo.exe

"C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.adobe.com udp
BE 23.14.90.89:80 www.adobe.com tcp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:80 www.youtube.com tcp
DE 89.116.103.113:44743 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 fbzdiwnuua.net udp
US 8.8.8.8:53 yolilodok.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 dxunadygn.org udp
US 8.8.8.8:53 vqbpvyvyaex.info udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
LT 86.100.135.91:17425 tcp
US 8.8.8.8:53 heylzdxbfmj.net udp
US 8.8.8.8:53 fihgzroksitl.net udp
US 8.8.8.8:53 ifcjvggv.net udp
US 8.8.8.8:53 nfwbtoxcplp.net udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 dmlqfdncupgd.net udp
US 8.8.8.8:53 dqbxzw.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 pymdlf.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 vueusddp.net udp
US 8.8.8.8:53 vfaswebt.net udp
US 8.8.8.8:53 ozbmbkwhr.net udp
US 8.8.8.8:53 yiqknayahap.net udp
US 8.8.8.8:53 swfvuomt.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 fuywmovgp.info udp
US 8.8.8.8:53 muwyyk.org udp
US 8.8.8.8:53 kzjozwgi.info udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 zobumzjwr.info udp
US 8.8.8.8:53 rcvotkx.com udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 zqfsuyn.org udp
US 8.8.8.8:53 ipvokjc.net udp
US 8.8.8.8:53 klhcekfvdcsn.net udp
US 8.8.8.8:53 zwhbxydy.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 lsjsjk.net udp
US 8.8.8.8:53 esrqlplelqt.net udp
US 8.8.8.8:53 rktqewv.com udp
US 8.8.8.8:53 cktstug.net udp
US 8.8.8.8:53 pooorepy.net udp
US 8.8.8.8:53 wishvg.net udp
US 8.8.8.8:53 qysyuocy.org udp
US 8.8.8.8:53 kgcqac.org udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 zfsyewnlxz.info udp
US 8.8.8.8:53 hyjykyyii.org udp
US 8.8.8.8:53 winweim.net udp
US 8.8.8.8:53 cszooaq.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 aohbwixdxt.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 lixknfeiqw.net udp
US 8.8.8.8:53 wyvylyn.info udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 ddxvsaaunk.info udp
US 8.8.8.8:53 cilztu.net udp
US 8.8.8.8:53 cbvkvbngoatz.net udp
GB 87.246.15.176:19844 tcp
US 8.8.8.8:53 tsqdaqzkv.net udp
US 8.8.8.8:53 qxeednhfvqtb.info udp
US 8.8.8.8:53 veparavldou.net udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 egihypdscn.net udp
US 8.8.8.8:53 dzxeiqt.net udp
US 8.8.8.8:53 rmbzvoskrbt.org udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 iotmdw.info udp
US 8.8.8.8:53 ukjfxkrqd.info udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 jfwmvap.net udp
US 8.8.8.8:53 lwfxdefilma.net udp
US 8.8.8.8:53 rxbzlefunz.info udp
US 8.8.8.8:53 sqclryafqnci.info udp
US 8.8.8.8:53 lgzvzd.info udp
US 8.8.8.8:53 siepmcpo.info udp
US 8.8.8.8:53 afmqjfvm.net udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 pjhkhcf.org udp
US 8.8.8.8:53 ptpayer.com udp
US 8.8.8.8:53 zojsnakatzy.net udp
US 8.8.8.8:53 lekdjcpdfe.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
LT 84.46.199.237:40571 tcp
US 8.8.8.8:53 ohbsyypy.info udp
US 8.8.8.8:53 tfjklcs.net udp
US 8.8.8.8:53 lwkgzequs.info udp
US 8.8.8.8:53 eoxxtgbjfwp.info udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 sqlkhup.net udp
US 8.8.8.8:53 kmqgwgsqma.com udp
US 8.8.8.8:53 lfvrnb.net udp
US 8.8.8.8:53 cfvsmgvqv.info udp
US 8.8.8.8:53 fkxtxocgoib.org udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 mqwmkeuecg.org udp
US 8.8.8.8:53 fmvjnanjyb.info udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 qdcdyuxd.info udp
US 8.8.8.8:53 yoscaaumysio.com udp
US 8.8.8.8:53 ssumtm.info udp
US 8.8.8.8:53 pwmcxqvob.org udp
US 8.8.8.8:53 flrglb.info udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 kqlefkwyk.info udp
US 8.8.8.8:53 smkulmr.info udp
US 8.8.8.8:53 cxvpmijmjz.info udp
US 8.8.8.8:53 drhdqpor.info udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 zavldhaqv.info udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 yfntjjyoj.net udp
US 8.8.8.8:53 tlgazlmc.info udp
US 8.8.8.8:53 twtmwa.net udp
US 8.8.8.8:53 kgmsogygwo.com udp
US 8.8.8.8:53 ichtsnmq.info udp
US 8.8.8.8:53 vswxmwpx.net udp
US 8.8.8.8:53 fqtllmawo.com udp
US 8.8.8.8:53 rdmjuyvafr.net udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 lxukmxfbkd.info udp
US 8.8.8.8:53 lwkgzaxwa.com udp
US 8.8.8.8:53 qqofrj.net udp
US 8.8.8.8:53 udtrpwl.info udp
US 8.8.8.8:53 txjuhr.net udp
US 8.8.8.8:53 kckcwa.com udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
BG 93.155.141.26:23110 tcp
US 8.8.8.8:53 zgpkttdsygsl.info udp
US 8.8.8.8:53 mmsgbehenil.info udp
US 8.8.8.8:53 cmlmcavxxiv.net udp
US 8.8.8.8:53 mksjysx.info udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 vgzshhwk.info udp
US 8.8.8.8:53 jilglepoh.net udp
US 8.8.8.8:53 nkqirervlr.info udp
US 8.8.8.8:53 vhbezhhvtmsz.info udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 doofotmuze.net udp
US 8.8.8.8:53 xbwcwctiyhl.com udp
US 8.8.8.8:53 rqfbdeuupz.info udp
US 8.8.8.8:53 euinkmsa.net udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 bdzocmjyrye.info udp
US 8.8.8.8:53 daxqldrm.net udp
US 8.8.8.8:53 owdqngxobkx.info udp
US 8.8.8.8:53 qcvenal.net udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 hozgwgxtpyi.org udp
US 8.8.8.8:53 qnveakqmrjr.info udp
US 8.8.8.8:53 usumyeceyqke.com udp
US 8.8.8.8:53 chailrbazsbf.info udp
US 8.8.8.8:53 iasomcay.com udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 zupkjezuto.info udp
US 8.8.8.8:53 qkemasssmqiy.org udp
US 8.8.8.8:53 uuooygishc.net udp
US 8.8.8.8:53 frixacpxzflb.info udp
US 8.8.8.8:53 dgduryr.net udp
US 8.8.8.8:53 huguadvoo.org udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 ilwnrc.info udp
US 8.8.8.8:53 bgfbufft.net udp
US 8.8.8.8:53 hylczucs.info udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 hhxxcyvc.net udp
US 8.8.8.8:53 hyedfcqec.org udp
US 8.8.8.8:53 fxebhlo.net udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 vanafwg.net udp
US 8.8.8.8:53 ssokciii.com udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 agvakue.info udp
US 8.8.8.8:53 mmuajylch.info udp
US 8.8.8.8:53 fqneqry.com udp
US 8.8.8.8:53 cufsngxsrue.net udp
US 8.8.8.8:53 ljjbekvgppwh.info udp
US 8.8.8.8:53 uhcnnwlkby.net udp
US 8.8.8.8:53 wcwjlkd.info udp
US 8.8.8.8:53 ssxcsebumzy.net udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 nifmtvfrs.net udp
US 8.8.8.8:53 xkgrhwnudq.info udp
US 8.8.8.8:53 meeergp.info udp
US 8.8.8.8:53 rvhimhnadom.net udp
US 8.8.8.8:53 fkkgponspp.net udp
US 8.8.8.8:53 qorytani.net udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 kyaoys.org udp
US 8.8.8.8:53 gisiftlbiqv.net udp
US 8.8.8.8:53 ljviot.net udp
US 8.8.8.8:53 fjowzmrmue.net udp
US 8.8.8.8:53 ravwjpnk.net udp
US 8.8.8.8:53 sbophqr.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 ejlqjtqcpgma.info udp
US 8.8.8.8:53 bwsgmgpocsc.org udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 bflgzffg.info udp
US 8.8.8.8:53 mgfrxptcx.net udp
US 8.8.8.8:53 hcsadtdyb.info udp
US 8.8.8.8:53 ffujrsnlpioe.info udp
US 8.8.8.8:53 mikiwu.org udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 mmdffuebcu.net udp
US 8.8.8.8:53 cyzafyx.net udp
US 8.8.8.8:53 pleaooahrimm.info udp
US 8.8.8.8:53 kgwkzwnuv.info udp
US 8.8.8.8:53 sznaabuqx.net udp
US 8.8.8.8:53 hmskewbfw.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 jupvpshulol.info udp
US 8.8.8.8:53 nidebb.net udp
US 8.8.8.8:53 zhbjld.net udp
US 8.8.8.8:53 vsxbgixpgege.net udp
US 8.8.8.8:53 nngifrnh.info udp
US 8.8.8.8:53 bgjkcqthjcr.info udp
US 8.8.8.8:53 dvbmzdwqqj.info udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 ruomtkayakx.info udp
US 8.8.8.8:53 jqowtofcr.org udp
US 8.8.8.8:53 pfgijrrcyovb.net udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 rubdcipl.net udp
US 8.8.8.8:53 jwvdkwakan.net udp
US 8.8.8.8:53 bbvqvapdqw.net udp
US 8.8.8.8:53 ijxoidecbii.info udp
US 8.8.8.8:53 egtyronwtqd.info udp
US 8.8.8.8:53 ceyikkcegkkw.com udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 uaudphfsy.info udp
US 8.8.8.8:53 aimusyuy.org udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 dzldzt.net udp
US 8.8.8.8:53 etpqsb.info udp
US 8.8.8.8:53 hxrskp.info udp
US 8.8.8.8:53 oyxzinmyat.info udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 qrjmoqdkde.info udp
US 8.8.8.8:53 nbpunrsm.info udp
US 8.8.8.8:53 cailzz.info udp
US 8.8.8.8:53 dtvrgbclbl.net udp
US 8.8.8.8:53 ohzcitpwnbr.net udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 xmvvsgg.info udp
US 8.8.8.8:53 kgmyjl.net udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 xtspxqw.info udp
US 8.8.8.8:53 keztjb.info udp
US 8.8.8.8:53 gkcoskqeus.com udp
US 8.8.8.8:53 iegkceci.org udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 zhwtrz.info udp
US 8.8.8.8:53 wkpqdvmciexy.net udp
US 8.8.8.8:53 uauoakkk.com udp
US 8.8.8.8:53 ryfuirzjef.info udp
US 8.8.8.8:53 gqzzhdak.info udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
BG 95.42.102.111:26902 tcp
US 8.8.8.8:53 gaacledqb.info udp
US 8.8.8.8:53 bhryvkxlw.net udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 fpybmsbkn.net udp
US 8.8.8.8:53 igmkkkqmaeye.com udp
US 8.8.8.8:53 bkpifkc.info udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 msmqxts.info udp
US 8.8.8.8:53 bwsextlslip.net udp
US 8.8.8.8:53 igjcav.info udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 boerfw.net udp
US 8.8.8.8:53 cidwvzenu.net udp
US 8.8.8.8:53 lzktggvqr.com udp
US 8.8.8.8:53 yckamrnaqwnv.net udp
US 8.8.8.8:53 nsxaxbza.net udp
US 8.8.8.8:53 hxummkxlrd.info udp
US 8.8.8.8:53 hopmxiq.net udp
US 8.8.8.8:53 zkwlcmrx.info udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 bmrjlm.net udp
US 8.8.8.8:53 darknroipjl.org udp
US 8.8.8.8:53 ewjccamtzlh.net udp
US 8.8.8.8:53 layuamikzdql.info udp
US 8.8.8.8:53 yrxdnkvpesem.info udp
US 8.8.8.8:53 ihjkeai.info udp
US 8.8.8.8:53 watedcrdntg.info udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 yvlsfvpux.info udp
US 8.8.8.8:53 iyckcwcgaucq.org udp
US 8.8.8.8:53 uiouocaqqmoy.org udp
US 8.8.8.8:53 hhlorggcrlgx.net udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 cbypoq.net udp
US 8.8.8.8:53 gojkzblkjd.net udp
US 8.8.8.8:53 jvzyvatftfqd.info udp
US 8.8.8.8:53 txqzqy.net udp
US 8.8.8.8:53 ramdcshagga.net udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 lciqvvr.org udp
US 8.8.8.8:53 lynfumjl.info udp
US 8.8.8.8:53 owwzkpzvkunz.info udp
US 8.8.8.8:53 tmddfwvdj.com udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 emqgaq.org udp
US 8.8.8.8:53 ujxfuttmifle.net udp
US 8.8.8.8:53 lsfhhgkizzfj.net udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 yiucei.org udp
US 8.8.8.8:53 zonezuf.net udp
US 8.8.8.8:53 talugbndu.net udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 kwvexijzvuox.net udp
US 8.8.8.8:53 purwwenyj.com udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 tchximlbdye.info udp
US 8.8.8.8:53 aagosmeuqico.org udp
BG 87.97.150.61:23772 tcp
US 8.8.8.8:53 ualztbdnpcru.net udp
US 8.8.8.8:53 miasgykcgmwm.org udp
US 8.8.8.8:53 vszamneg.info udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 wvimtmr.net udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 colmdkvud.net udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 kmwkei.com udp
US 8.8.8.8:53 tbtebovh.info udp
US 8.8.8.8:53 bqngkclmbzh.info udp
US 8.8.8.8:53 bghvedjqyear.net udp
US 8.8.8.8:53 vdzshgcmbo.info udp
US 8.8.8.8:53 cffipww.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 nzzfvfehku.info udp
US 8.8.8.8:53 samcmuoimuwc.com udp
US 8.8.8.8:53 psgmlqkt.info udp
US 8.8.8.8:53 dejiambqr.info udp
US 8.8.8.8:53 xvxqnlx.info udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 aqcesysq.org udp
US 8.8.8.8:53 njphrow.net udp
US 8.8.8.8:53 fmpgtlnr.net udp
US 8.8.8.8:53 nukrnqt.info udp
US 8.8.8.8:53 bibcnuhc.info udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 zixwrjjcr.org udp
US 8.8.8.8:53 bavrjoztzi.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 vojabs.info udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 gguiwmcike.com udp
US 8.8.8.8:53 jaktktbzcd.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 xobzexfvbdji.net udp
US 8.8.8.8:53 mpzepeeifsj.net udp
US 8.8.8.8:53 gmawtwrycam.info udp
US 8.8.8.8:53 ysvntwgn.info udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 avhorwnwh.net udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 fpkapqit.info udp
US 8.8.8.8:53 wplqxgiwd.info udp
US 8.8.8.8:53 tppgwk.net udp
US 8.8.8.8:53 nnfhdl.net udp
US 8.8.8.8:53 dabsfkf.org udp
US 8.8.8.8:53 zxzkscpc.net udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 knhurclxt.net udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 jxhbtmgbaabw.info udp
US 8.8.8.8:53 omsmrtr.net udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 fuduznymxyj.net udp
US 8.8.8.8:53 qwiykg.org udp
US 8.8.8.8:53 nxhrncawvm.info udp
US 8.8.8.8:53 zgghjeyw.info udp
US 8.8.8.8:53 uosyqcameu.org udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 yqjapdndp.net udp
US 8.8.8.8:53 jrhydkecl.net udp
US 8.8.8.8:53 etfitzlwhath.info udp
US 8.8.8.8:53 rqpalmeskea.info udp
US 8.8.8.8:53 zweegzy.net udp
US 8.8.8.8:53 vxjdgjwipz.info udp
US 8.8.8.8:53 zsqipixhprno.info udp
US 8.8.8.8:53 jrwtbwksdgli.net udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 dsljlpwmvkn.org udp
US 8.8.8.8:53 wsygcc.com udp
US 8.8.8.8:53 nehugmlapkj.com udp
US 8.8.8.8:53 rhjtjgdn.net udp
US 8.8.8.8:53 gdtknyfat.net udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 yazbbtmqptzs.net udp
US 8.8.8.8:53 ggowpsr.net udp
US 8.8.8.8:53 lqyuzhnsdwh.info udp
US 8.8.8.8:53 iaixydhqj.net udp
US 8.8.8.8:53 lwfcbspjh.com udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 tapcprxcbck.com udp
US 8.8.8.8:53 huvapwf.info udp
US 8.8.8.8:53 yaoqpybov.net udp
US 8.8.8.8:53 edkvvfhm.net udp
US 8.8.8.8:53 jnswrk.info udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 bypdbeft.net udp
US 8.8.8.8:53 ywwzdoommgl.info udp
US 8.8.8.8:53 qiwvjy.info udp
US 8.8.8.8:53 ysgquo.org udp
US 8.8.8.8:53 nvdihc.net udp
US 8.8.8.8:53 yxlcbuil.net udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 gxurrijmwj.net udp
US 8.8.8.8:53 ixfsvqwnmyhh.info udp
US 8.8.8.8:53 akwagmuq.org udp
US 8.8.8.8:53 cimssckkesoy.com udp
US 8.8.8.8:53 mivonsn.net udp
US 8.8.8.8:53 csqecq.com udp
US 8.8.8.8:53 tsfpbwzulu.net udp
US 8.8.8.8:53 cruftfwdx.info udp
US 8.8.8.8:53 qahkwiajnf.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 qieskwaeumgu.com udp
US 8.8.8.8:53 dynsgqe.com udp
US 8.8.8.8:53 ygkimmyiyq.com udp
US 8.8.8.8:53 cwqoigaq.com udp
US 8.8.8.8:53 lpxsxak.info udp
US 8.8.8.8:53 abhtvd.info udp
US 8.8.8.8:53 yururmq.info udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 wmskoyiwckcc.com udp
US 8.8.8.8:53 xqtpfyl.com udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 mvdxof.info udp
US 8.8.8.8:53 jnueoe.info udp
US 8.8.8.8:53 tubcsi.net udp
US 8.8.8.8:53 kuuwpvl.net udp
US 8.8.8.8:53 rsvjduddlmg.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 dpwthhxfnpje.info udp
US 8.8.8.8:53 grtgjfddd.info udp
US 8.8.8.8:53 lsfgofca.net udp
US 8.8.8.8:53 icfkxadejct.net udp
US 8.8.8.8:53 rasctijwu.net udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 dvbaccf.org udp
US 8.8.8.8:53 mzhtmkjrutn.net udp
US 8.8.8.8:53 gynchtukx.info udp
US 8.8.8.8:53 hzofdtymno.net udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 wsggzj.net udp
US 8.8.8.8:53 awhwpsamnvpz.info udp
US 8.8.8.8:53 cgkiiocgyg.com udp
US 8.8.8.8:53 ptlljz.net udp
US 8.8.8.8:53 nrwqjv.info udp
US 8.8.8.8:53 jbgbtk.net udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 yjpnygixyx.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 csweecoy.com udp
US 8.8.8.8:53 eyewqw.org udp
US 8.8.8.8:53 buoijljy.info udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 gawoakwkse.org udp
US 8.8.8.8:53 zylyqstmdoh.org udp
US 8.8.8.8:53 vbyygg.net udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 bllxuuzlwmpw.net udp
US 8.8.8.8:53 oasyowq.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 cnmsixhe.net udp
US 8.8.8.8:53 copersdev.net udp
US 8.8.8.8:53 mkfjzhfsclp.info udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 hvdqrg.net udp
US 8.8.8.8:53 twvihv.info udp
US 8.8.8.8:53 oekzey.info udp
US 8.8.8.8:53 fizelqj.info udp
US 8.8.8.8:53 xmlficz.net udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 ngcdfpzmnie.net udp
US 8.8.8.8:53 yccyweaieusi.com udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 gghgwif.net udp
US 8.8.8.8:53 acqsuqyuea.org udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 yuuicqaiuooe.com udp
US 8.8.8.8:53 noxoxkzyxix.org udp
US 8.8.8.8:53 vupsvur.com udp
US 8.8.8.8:53 fgaupidmn.com udp
US 8.8.8.8:53 ogfaawv.info udp
US 8.8.8.8:53 lzxkgytnsr.info udp
US 8.8.8.8:53 grbcxjxsd.info udp
US 8.8.8.8:53 hlodfvrr.net udp
US 8.8.8.8:53 tbvalm.net udp
US 8.8.8.8:53 qciuegymia.com udp
US 8.8.8.8:53 whpwlocrrf.info udp
US 8.8.8.8:53 iopqhuvdvz.info udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 ladegcamm.info udp
US 8.8.8.8:53 kuuwymkesk.org udp
US 8.8.8.8:53 aomkcqaa.com udp
US 8.8.8.8:53 uqarhw.info udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 ocawoi.org udp
US 8.8.8.8:53 bohvpfjikicg.net udp
US 8.8.8.8:53 coikwigoik.org udp
US 8.8.8.8:53 zrjkew.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 uiwqgqemgqqe.org udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 yqqsvlevnitf.net udp
US 8.8.8.8:53 jamglof.com udp
US 8.8.8.8:53 tuxlaksiopzg.info udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 uaaebedn.info udp
US 8.8.8.8:53 rwrmer.info udp
US 8.8.8.8:53 cpvkihx.net udp
US 8.8.8.8:53 dohmvklorih.org udp
US 8.8.8.8:53 sxxizutlvant.net udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 rfizwynqkt.info udp
US 8.8.8.8:53 mentnwt.info udp
BG 93.183.185.234:24353 tcp
US 8.8.8.8:53 yocciq.com udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

MD5 915dd43f473ac655dd4e7ebe75cc2d68
SHA1 037c49c1ce90c9db0895985286b9edc59f60646c
SHA256 129e8fbc49b267ee3f1190b4f02fde33949363986ff50f7efa403c40daf16645
SHA512 51196244ac9ec5715d71447b8137ae1b9e921382aa5fa39d30a2d8dc81fc68ea5442731a25f8014d94daf774db9c9397836b67ff6225336a2fa144c653045260

C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe

MD5 131ff135d3cbadbe59f927d662f8dcdc
SHA1 30e8e955a61cf6f197f1e58ae9e769ffc82279c6
SHA256 fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad
SHA512 c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448

C:\Users\Admin\AppData\Local\Temp\vjioylo.exe

MD5 5c1a5a0dc1b7b29dd20ce0851af0a820
SHA1 dd2ef956742ceae35711c84973c1d3b7b2f927df
SHA256 d0b3f62b886e7475ded0b874d81f5ba25595ad88756f7317762020714df36963
SHA512 38e63837c053a7947b28d8e58e7ca6846fba61676197bfeb13a9fbb4f7da2226d9a89294fc916122359e948d6efdf3bc418e579c141bcac2ea74eee9fd295e2e

C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg

MD5 5d6ce8eb3ff4aca2a289ca9784d6c3c6
SHA1 f916e61b84a7e50b7b56eeb66aa28971007d3191
SHA256 eb31a484172b19ee36b7d44999bf0601da5d25125be7443c7ea010b188d3ffba
SHA512 07fd5edecb25b175fff5d9a813e5d4fb80d4b6c165f8ec5eaf36247dc30c5c95a54b9663c47aa0042f87f6cea98ef0fd85ddc5f24d1c04c9e7c94dca81748ff2

C:\Users\Admin\AppData\Local\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk

MD5 2461db9bea8f88ef430ec74fb4cf7f41
SHA1 5eb8ada2591152a82631e47d90d01002d869ca3c
SHA256 b0ee3ec168fd1952c7bca2894b87f7a732fa2fadbe9fdd40fcc857829234eb21
SHA512 3be4c2f3bfc8c25f20bebf5951cda939695106e2f5491584a45e06503f8dc2d2401d6bb5ad21debefed4f50cfe21dbdb745eab53462712266ca991c967e56612

C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg

MD5 74a20c46b346f1c4548fa06a8a8b5f38
SHA1 5b0a674a7072d18e6cefb5f4c6bc34487509e560
SHA256 91291fc31bdb3ef362cadb5ebf1c8bd8fb44bd95b2a86de21e27156d2fbf5742
SHA512 ad45c60195d7697c4aae12e75b066d0421fb30dda161c6820bdff4b0e24e79ac7af4532aba3fc350229ee55fda00fd896b13b2278845ded6df7dbd0bddd47b5a

C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg

MD5 8081c05b7cc4ffb8ec3806b806b3d2a6
SHA1 3c316273bc6641f020ad60f394c4379228dbd31b
SHA256 8701d0d07fe10c37f379eaf019280f4b0e35255cf3071a935866d7921c8041f8
SHA512 70bbafc7a76e2fcb8c401f43b9376d4b48e50f19cb54c9bfe914a40a1e50ec93ba7f067f401ae95b27b5bf33aab34ad7218941a1c459c8dadd618c6e30f22dc7

C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg

MD5 9c47e3d80e531d3e277355ac9d68cd9b
SHA1 6b585e60c792f3320649e1fb827196343b7cf53e
SHA256 286c36d873f9f9e18efcc37bf0177176aa560bc4ed3c079e3ac78166d711daa9
SHA512 f505ec195736b040d242cef9ac6bca20ee179a2dc4a07d5d817d8d08adfae273871e0cbbaf23dcbf5b7f28e5d988f8dbcb1971b24c1d4a6dff536815d5677343

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 19:17

Reported

2024-06-26 19:20

Platform

win7-20240611-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "xqcsgzkfwhjhpcza.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "niwoezmjcpttdsrujx.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "xqcsgzkfwhjhpcza.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "aypkdbrrndknasuasjomd.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "xqcsgzkfwhjhpcza.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "eylcrlxtlxaziwuwk.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "niwoezmjcpttdsrujx.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "xqcsgzkfwhjhpcza.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe ." C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "liyskhwvqflnzqrwndhe.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created C:\Windows\SysWOW64\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created C:\Windows\SysWOW64\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Program Files (x86)\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\beaaybwbcxjrjgnyvrbeaa.bwb C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\niwoezmjcpttdsrujx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\liyskhwvqflnzqrwndhe.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\aypkdbrrndknasuasjomd.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\rqieyxopmdlpdwzgzrxwok.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\xqcsgzkfwhjhpcza.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\eylcrlxtlxaziwuwk.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File created C:\Windows\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
File opened for modification C:\Windows\yujctpdbvjopaqqukzc.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2004 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
PID 2984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2984 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe

"C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"

C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe

"C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"

C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.bbc.co.uk udp
US 151.101.0.81:80 www.bbc.co.uk tcp
LV 81.198.153.70:15181 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 emfevccuwzsk.info udp
US 8.8.8.8:53 jrwykqq.net udp
US 8.8.8.8:53 fbzdiwnuua.net udp
CY 78.40.141.178:26315 tcp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 tepyknfqpj.net udp
US 8.8.8.8:53 ryxctjzgg.com udp
US 8.8.8.8:53 akznvakqu.net udp
LT 78.63.14.25:25098 tcp
US 8.8.8.8:53 cimrms.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 ldpeiuzzr.info udp
BG 77.77.59.5:13863 tcp
US 8.8.8.8:53 jxbwkfbo.net udp
US 8.8.8.8:53 lpllzersuj.info udp
LT 78.60.126.15:42744 tcp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 gfpinqbmbmx.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 wcbykvjod.info udp
US 8.8.8.8:53 yzunrn.net udp
LT 78.56.187.75:31118 tcp
US 8.8.8.8:53 ybdafmfdaz.net udp
US 8.8.8.8:53 miokoi.org udp
US 8.8.8.8:53 awowcxnzde.net udp
BG 178.239.121.175:30794 tcp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 yavjrbwldmn.net udp
US 8.8.8.8:53 mgdozpxkn.net udp
LT 77.79.24.5:38560 tcp
US 8.8.8.8:53 hxaooopty.info udp
US 8.8.8.8:53 cgqwmw.com udp
US 8.8.8.8:53 qcjeuitux.net udp
BG 95.43.6.222:37336 tcp
US 8.8.8.8:53 knvyfgstam.info udp
US 8.8.8.8:53 agxabrwhhv.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
LT 91.187.185.131:15609 tcp
US 8.8.8.8:53 dwjekndz.info udp
US 8.8.8.8:53 eoagosgwciko.org udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 rwjyat.net udp
BG 178.239.119.33:34734 tcp
US 8.8.8.8:53 jinzhwrsqi.info udp
US 8.8.8.8:53 dirugm.net udp
US 8.8.8.8:53 sqiguiiuyq.org udp
BG 95.42.235.49:44886 tcp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 mokcscyg.com udp
LT 78.62.132.178:24520 tcp
US 8.8.8.8:53 mmmgockgue.com udp
US 8.8.8.8:53 jlowau.net udp
US 8.8.8.8:53 cwmzlaiud.net udp
LT 88.222.16.79:34052 tcp
US 8.8.8.8:53 giioymcimwmg.com udp
US 8.8.8.8:53 axdlde.info udp
US 8.8.8.8:53 yvrnagjc.info udp
BG 85.130.45.90:32741 tcp
US 8.8.8.8:53 atierp.info udp
US 8.8.8.8:53 jchnrmjebk.info udp
US 8.8.8.8:53 aecmguku.com udp
LT 78.62.58.131:16312 tcp
US 8.8.8.8:53 kidrmkwxqbba.info udp
US 8.8.8.8:53 zmkyeup.com udp
US 8.8.8.8:53 jydnupwk.net udp
LV 87.110.50.191:28303 tcp
US 8.8.8.8:53 fujehadwb.com udp
US 8.8.8.8:53 ihrilyfdgvh.net udp
US 8.8.8.8:53 uofsbfzvmi.net udp
N/A 82.137.112.159:21742 tcp

Files

\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

MD5 8b7781277ff9baab32f9a7b0ae6b96fa
SHA1 c6a8e4d5f6e8ca73ad4b1edcdb4c1c2f2119cfe3
SHA256 0f67205bb9d5fa465993ffa257d6f38fb4ab5e4528e6910b4568867291ffb28e
SHA512 9f92d621889596515cb84b69331e8eafe1d5308901d225d75c86cc2da2ad2f7c590d6f857fab0a0811d9dc323363287f45ff5372b7c35361e43332fbc1103b33

C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe

MD5 131ff135d3cbadbe59f927d662f8dcdc
SHA1 30e8e955a61cf6f197f1e58ae9e769ffc82279c6
SHA256 fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad
SHA512 c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448

\Users\Admin\AppData\Local\Temp\yilsxhj.exe

MD5 c68fbba348e38db256b5e16afc0df078
SHA1 9c58a86589dda1aeb8d96e87fad050f6aba00e6b
SHA256 75b98bbecf31c011aa758ef6c1b4e1381cdc061ff1a06c95bbb2d139dca7588a
SHA512 2bb1a5630ddaf036ea7944ab4ba2058211c166f1c27c7198b1babf79f418adcbe23811eeae444f1ad1ebaea0964179170ea5ec7ae3605e40e64590fe0a3343c0

C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 6bea0347a7a7e2a83f82a68a03eb207b
SHA1 12295dc3c0c0a82e99163ea993fca2de6bd3889b
SHA256 b6ac9d56434ce75c38e889e34938c34709cd67a7f614e591e15bbf5cf68be7d9
SHA512 9dab5c69cbcc4bdc1dee90f422766ffe52f9f28836166bad0faa0a3b51ca9156a8daf6f1b72cab5e6216981bd8db1ab1ba5107bb3df32e1b8a79d3f3adfdc27e

C:\Users\Admin\AppData\Local\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy

MD5 157f81d8a4448ba3f700ecfcd41116ab
SHA1 a149291385ddcf8179d26e2c8fdcb3847ba9165e
SHA256 8ef5ba774658efae5b42df4cd6b01b5c76f91bb2aa39d8e3479c0ae05d1221f1
SHA512 5c74fbd92aa0cd99352954af1fca5b986e7ec4086c538e68f86f297983045c854a5fbc60f11d4fe4adba3f9a1c18ec03ea1a7263a640c4f18825f55fab253990

C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 fa7679fc986f3b8743fcb32d62349077
SHA1 3f2ba0fd400f63622c249325a711d7d069e6b926
SHA256 bff9d803f68f66f3564ca43668c5c5ecde7e2ed921eb3754016ad3d2e11ffcf6
SHA512 621fa88555ca6e19dbb813261dd72ed557fe859f54db235e4af6f840e30a019bfaa1123b420b89007e3c5111ec0b828b92639409fe79ffbd8007e9ccfe470253

C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 331d50340c595128d23d9e29fbfda68a
SHA1 453f848632a3efa4055ea7db33e4f2bbaff8dc68
SHA256 d0400258f76581167a87df317033f5d62ba98db36bdd8453d1edff7a0119d0d8
SHA512 eb37e1dafd4a87acd0a2e83c58bb173368fbc9bf3fe33eebd7d01e8f716a76ed996356e14a6292a5ae455123608164f11fe592609089ad3e2d01b85e73a3a0d5

C:\sgnyhvbrdjg.bat

MD5 ded93dada5a6ff36b4ee07e8c5224762
SHA1 755d8608cb7e092487570ddb435e8135c5eede6e
SHA256 5040c6970a5e3f8a0b08d7fe34ebc1a5ce3d70e22000176dd7b9703b2a131dc7
SHA512 f2f379aa49e21b534d7d7994fef0da4b764b6fd5aed9e592f24d016b6f7a66a8a68553fac639ec281f0af9db50fcd0ae9069da0ddadb2dc6c5f80f75b27d4fdd

C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 4f18d2d463d4020fa417ff1961466841
SHA1 a4e0a48fbd920f650193723c86bd1378dd1dbb76
SHA256 5de41dc860d4a1a6c1d4b6b56b33fd0c067a1bd1729e44ab8f7adc06b8406824
SHA512 fc7bda6f82579af920f6c1a054981dface2c2c685b28ef6014a37cb54f4109184731069f5776296dbcfaaec2a074c88c12e0e0588694520e322952de41e04777

C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 155c0ce1bfc541aca6f9cb920fe8e0f9
SHA1 fd0d80f8a50ac724fa0467ea94e215055c0a113a
SHA256 f0bf4d04a62be5c58d791b42cb5c26f6557ae85e932aa4e00f8ee3afc4e8f5e4
SHA512 bf568b1d05b7cb093f126d5017892816553bc326e44b5aecec72114cf210f5cdf5347757eeedbc49df70427f87c01cd48359b76a5486924bc1f35a2835a6e488

C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 cdfc5d1a0cc9ecf05caebef5286176e0
SHA1 c122c852a2cd90ab5b4950a094ff3adbad068f32
SHA256 145714f0c5b772860d81d18450008cc5dbc6e2f2ea1d81c22441995a30a0398a
SHA512 711dc861e396763382119f64bbb202952da10080e3864c5aec02e3339b2e2932818f5ee74ca7b0b9018e27f2f16bcf3f07d113a95f15e61466f406ca85b47128

C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb

MD5 9f7795f46862bb70238e4243a67cb540
SHA1 f6366928d70f9901c199f19aff856d75f7a4f166
SHA256 7034d5346b4e864991dce66000084766f53f8666dd26a01549981aa1af49fb6f
SHA512 a353e27388b97eb790fc23e88351a27ba932bfe90aa7a13693cacea97a9f1d43b48853bf07a25424df0abd4198b4bd65a9663501641a333fc1d3bc8e552af13b