Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
27/03/2025, 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
Resource
win7-20250207-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
Resource
win10v2004-20250313-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe
-
Size
600KB
-
MD5
8a01bcb09b024896cdaf5a880dd8a094
-
SHA1
fa6c9c41d673cc567b909c304380b166538f964b
-
SHA256
1245110ba2ca69fa0e47a45237891925276be818ea7e0bb1a1ed92f4a610b004
-
SHA512
6656722e386ec828b9b135110882da1fd2a513fd2df5fda04e28a41d6aa165dc189f71e43783a679ad86b4d42bc4631a0cf0602ad5ede30bff0f8fabe6e89d9c
-
SSDEEP
12288:s6onxOp8FySpE5zvIdtU+YmefaRfMMMMM2MMMMM:Qwp8DozAdO9aRfMMMMM2MMMMM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wlsotepmgvc.exe -
Pykspa family
-
UAC bypass 3 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00060000000120e8-2.dat family_pykspa behavioral1/files/0x000500000001942d-61.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "vufgwsdfrlkhwangzez.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "uqywjckjsjfzlmwm.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "xylogervjfgfwcrmholmz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "iiuwnkwzmhhfvaoiciee.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "byhguoxxhzwregriz.exe" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "xylogervjfgfwcrmholmz.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylogervjfgfwcrmholmz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "byhguoxxhzwregriz.exe" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "xylogervjfgfwcrmholmz.exe" wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vufgwsdfrlkhwangzez.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "uqywjckjsjfzlmwm.exe" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mgmitkqnujdvfe = "uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pgjckybvzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlsotepmgvc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wlsotepmgvc.exe Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe -
Executes dropped EXE 27 IoCs
pid Process 2288 wlsotepmgvc.exe 2680 xifsu.exe 2844 xifsu.exe 2052 iiuwnkwzmhhfvaoiciee.exe 2060 byhguoxxhzwregriz.exe 744 wlsotepmgvc.exe 1860 wlsotepmgvc.exe 1796 kisshcmnyrplzcogyc.exe 2348 byhguoxxhzwregriz.exe 1456 wlsotepmgvc.exe 2480 wlsotepmgvc.exe 2576 vufgwsdfrlkhwangzez.exe 2612 iiuwnkwzmhhfvaoiciee.exe 2364 wlsotepmgvc.exe 2976 wlsotepmgvc.exe 2988 vufgwsdfrlkhwangzez.exe 764 byhguoxxhzwregriz.exe 1964 wlsotepmgvc.exe 1788 wlsotepmgvc.exe 1560 iiuwnkwzmhhfvaoiciee.exe 2968 vufgwsdfrlkhwangzez.exe 2304 wlsotepmgvc.exe 2744 wlsotepmgvc.exe 1644 byhguoxxhzwregriz.exe 2496 uqywjckjsjfzlmwm.exe 1084 wlsotepmgvc.exe 1588 wlsotepmgvc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend xifsu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xifsu.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xifsu.exe -
Loads dropped DLL 30 IoCs
pid Process 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2288 wlsotepmgvc.exe 2288 wlsotepmgvc.exe 2288 wlsotepmgvc.exe 2288 wlsotepmgvc.exe 2052 iiuwnkwzmhhfvaoiciee.exe 2052 iiuwnkwzmhhfvaoiciee.exe 2060 byhguoxxhzwregriz.exe 2060 byhguoxxhzwregriz.exe 1796 kisshcmnyrplzcogyc.exe 1796 kisshcmnyrplzcogyc.exe 2348 byhguoxxhzwregriz.exe 2348 byhguoxxhzwregriz.exe 2576 vufgwsdfrlkhwangzez.exe 2576 vufgwsdfrlkhwangzez.exe 2612 iiuwnkwzmhhfvaoiciee.exe 2612 iiuwnkwzmhhfvaoiciee.exe 2988 vufgwsdfrlkhwangzez.exe 2988 vufgwsdfrlkhwangzez.exe 764 byhguoxxhzwregriz.exe 764 byhguoxxhzwregriz.exe 1560 iiuwnkwzmhhfvaoiciee.exe 1560 iiuwnkwzmhhfvaoiciee.exe 2968 vufgwsdfrlkhwangzez.exe 2968 vufgwsdfrlkhwangzez.exe 1644 byhguoxxhzwregriz.exe 1644 byhguoxxhzwregriz.exe 2496 uqywjckjsjfzlmwm.exe 2496 uqywjckjsjfzlmwm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "uqywjckjsjfzlmwm.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "iiuwnkwzmhhfvaoiciee.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vufgwsdfrlkhwangzez.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "kisshcmnyrplzcogyc.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "vufgwsdfrlkhwangzez.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "vufgwsdfrlkhwangzez.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "xylogervjfgfwcrmholmz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "vufgwsdfrlkhwangzez.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "vufgwsdfrlkhwangzez.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "byhguoxxhzwregriz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "xylogervjfgfwcrmholmz.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "vufgwsdfrlkhwangzez.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "uqywjckjsjfzlmwm.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "kisshcmnyrplzcogyc.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "uqywjckjsjfzlmwm.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "iiuwnkwzmhhfvaoiciee.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "kisshcmnyrplzcogyc.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "xylogervjfgfwcrmholmz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "vufgwsdfrlkhwangzez.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylogervjfgfwcrmholmz.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "byhguoxxhzwregriz.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "uqywjckjsjfzlmwm.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylogervjfgfwcrmholmz.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "uqywjckjsjfzlmwm.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "byhguoxxhzwregriz.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiuwnkwzmhhfvaoiciee.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "vufgwsdfrlkhwangzez.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "iiuwnkwzmhhfvaoiciee.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\uqywjckjsjfzlmwm = "kisshcmnyrplzcogyc.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylogervjfgfwcrmholmz.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vufgwsdfrlkhwangzez.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "vufgwsdfrlkhwangzez.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "uqywjckjsjfzlmwm.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "vufgwsdfrlkhwangzez.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kisshcmnyrplzcogyc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqywjckjsjfzlmwm.exe" xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xylogervjfgfwcrmholmz.exe" xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\byhguoxxhzwregriz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe ." xifsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "kisshcmnyrplzcogyc.exe ." xifsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\pkroaszxfvqjuud = "iiuwnkwzmhhfvaoiciee.exe" wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lejeoejflzsjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kisshcmnyrplzcogyc.exe ." wlsotepmgvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\meiclaezerjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\byhguoxxhzwregriz.exe" xifsu.exe -
Checks whether UAC is enabled 1 TTPs 18 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xifsu.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 8 whatismyip.everdot.org 10 whatismyipaddress.com 15 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf xifsu.exe File created C:\autorun.inf xifsu.exe File opened for modification F:\autorun.inf xifsu.exe File created F:\autorun.inf xifsu.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe xifsu.exe File created C:\Windows\SysWOW64\meiclaezerjzhekwigumqktimhmzrhpmse.ocu xifsu.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\meiclaezerjzhekwigumqktimhmzrhpmse.ocu xifsu.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File created C:\Windows\SysWOW64\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\byhguoxxhzwregriz.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\oqeibaotifhhzgwsowuwko.exe xifsu.exe File opened for modification C:\Windows\SysWOW64\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\SysWOW64\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File created C:\Program Files (x86)\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File opened for modification C:\Program Files (x86)\meiclaezerjzhekwigumqktimhmzrhpmse.ocu xifsu.exe File created C:\Program Files (x86)\meiclaezerjzhekwigumqktimhmzrhpmse.ocu xifsu.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe xifsu.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe xifsu.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe xifsu.exe File opened for modification C:\Windows\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe xifsu.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe xifsu.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe xifsu.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe xifsu.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe xifsu.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe xifsu.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe xifsu.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe xifsu.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File created C:\Windows\zgzigkdnhjqvsezaboryray.vfz xifsu.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe wlsotepmgvc.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\kisshcmnyrplzcogyc.exe wlsotepmgvc.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\byhguoxxhzwregriz.exe xifsu.exe File opened for modification C:\Windows\xylogervjfgfwcrmholmz.exe xifsu.exe File created C:\Windows\meiclaezerjzhekwigumqktimhmzrhpmse.ocu xifsu.exe File opened for modification C:\Windows\vufgwsdfrlkhwangzez.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\oqeibaotifhhzgwsowuwko.exe wlsotepmgvc.exe File opened for modification C:\Windows\uqywjckjsjfzlmwm.exe wlsotepmgvc.exe File opened for modification C:\Windows\iiuwnkwzmhhfvaoiciee.exe xifsu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhguoxxhzwregriz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vufgwsdfrlkhwangzez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhguoxxhzwregriz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlsotepmgvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiuwnkwzmhhfvaoiciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhguoxxhzwregriz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vufgwsdfrlkhwangzez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiuwnkwzmhhfvaoiciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xifsu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byhguoxxhzwregriz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiuwnkwzmhhfvaoiciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vufgwsdfrlkhwangzez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uqywjckjsjfzlmwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kisshcmnyrplzcogyc.exe -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2680 xifsu.exe 2680 xifsu.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 2104 explorer.exe 1940 explorer.exe 1944 explorer.exe 744 explorer.exe 1772 explorer.exe 2976 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2680 xifsu.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1940 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 1944 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 744 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 1772 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe Token: SeShutdownPrivilege 2976 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1940 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 1944 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe 744 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2288 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 30 PID 2128 wrote to memory of 2288 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 30 PID 2128 wrote to memory of 2288 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 30 PID 2128 wrote to memory of 2288 2128 JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe 30 PID 2288 wrote to memory of 2680 2288 wlsotepmgvc.exe 32 PID 2288 wrote to memory of 2680 2288 wlsotepmgvc.exe 32 PID 2288 wrote to memory of 2680 2288 wlsotepmgvc.exe 32 PID 2288 wrote to memory of 2680 2288 wlsotepmgvc.exe 32 PID 2288 wrote to memory of 2844 2288 wlsotepmgvc.exe 33 PID 2288 wrote to memory of 2844 2288 wlsotepmgvc.exe 33 PID 2288 wrote to memory of 2844 2288 wlsotepmgvc.exe 33 PID 2288 wrote to memory of 2844 2288 wlsotepmgvc.exe 33 PID 2104 wrote to memory of 2052 2104 explorer.exe 35 PID 2104 wrote to memory of 2052 2104 explorer.exe 35 PID 2104 wrote to memory of 2052 2104 explorer.exe 35 PID 2104 wrote to memory of 2052 2104 explorer.exe 35 PID 2104 wrote to memory of 2060 2104 explorer.exe 36 PID 2104 wrote to memory of 2060 2104 explorer.exe 36 PID 2104 wrote to memory of 2060 2104 explorer.exe 36 PID 2104 wrote to memory of 2060 2104 explorer.exe 36 PID 2052 wrote to memory of 744 2052 iiuwnkwzmhhfvaoiciee.exe 37 PID 2052 wrote to memory of 744 2052 iiuwnkwzmhhfvaoiciee.exe 37 PID 2052 wrote to memory of 744 2052 iiuwnkwzmhhfvaoiciee.exe 37 PID 2052 wrote to memory of 744 2052 iiuwnkwzmhhfvaoiciee.exe 37 PID 2060 wrote to memory of 1860 2060 byhguoxxhzwregriz.exe 38 PID 2060 wrote to memory of 1860 2060 byhguoxxhzwregriz.exe 38 PID 2060 wrote to memory of 1860 2060 byhguoxxhzwregriz.exe 38 PID 2060 wrote to memory of 1860 2060 byhguoxxhzwregriz.exe 38 PID 1940 wrote to memory of 1796 1940 explorer.exe 41 PID 1940 wrote to memory of 1796 1940 explorer.exe 41 PID 1940 wrote to memory of 1796 1940 explorer.exe 41 PID 1940 wrote to memory of 1796 1940 explorer.exe 41 PID 1940 wrote to memory of 2348 1940 explorer.exe 42 PID 1940 wrote to memory of 2348 1940 explorer.exe 42 PID 1940 wrote to memory of 2348 1940 explorer.exe 42 PID 1940 wrote to memory of 2348 1940 explorer.exe 42 PID 1796 wrote to memory of 1456 1796 kisshcmnyrplzcogyc.exe 43 PID 1796 wrote to memory of 1456 1796 kisshcmnyrplzcogyc.exe 43 PID 1796 wrote to memory of 1456 1796 kisshcmnyrplzcogyc.exe 43 PID 1796 wrote to memory of 1456 1796 kisshcmnyrplzcogyc.exe 43 PID 2348 wrote to memory of 2480 2348 byhguoxxhzwregriz.exe 44 PID 2348 wrote to memory of 2480 2348 byhguoxxhzwregriz.exe 44 PID 2348 wrote to memory of 2480 2348 byhguoxxhzwregriz.exe 44 PID 2348 wrote to memory of 2480 2348 byhguoxxhzwregriz.exe 44 PID 1944 wrote to memory of 2576 1944 explorer.exe 47 PID 1944 wrote to memory of 2576 1944 explorer.exe 47 PID 1944 wrote to memory of 2576 1944 explorer.exe 47 PID 1944 wrote to memory of 2576 1944 explorer.exe 47 PID 1944 wrote to memory of 2612 1944 explorer.exe 48 PID 1944 wrote to memory of 2612 1944 explorer.exe 48 PID 1944 wrote to memory of 2612 1944 explorer.exe 48 PID 1944 wrote to memory of 2612 1944 explorer.exe 48 PID 2576 wrote to memory of 2364 2576 vufgwsdfrlkhwangzez.exe 49 PID 2576 wrote to memory of 2364 2576 vufgwsdfrlkhwangzez.exe 49 PID 2576 wrote to memory of 2364 2576 vufgwsdfrlkhwangzez.exe 49 PID 2576 wrote to memory of 2364 2576 vufgwsdfrlkhwangzez.exe 49 PID 2612 wrote to memory of 2976 2612 iiuwnkwzmhhfvaoiciee.exe 50 PID 2612 wrote to memory of 2976 2612 iiuwnkwzmhhfvaoiciee.exe 50 PID 2612 wrote to memory of 2976 2612 iiuwnkwzmhhfvaoiciee.exe 50 PID 2612 wrote to memory of 2976 2612 iiuwnkwzmhhfvaoiciee.exe 50 PID 744 wrote to memory of 2988 744 explorer.exe 53 PID 744 wrote to memory of 2988 744 explorer.exe 53 PID 744 wrote to memory of 2988 744 explorer.exe 53 PID 744 wrote to memory of 2988 744 explorer.exe 53 -
System policy modification 1 TTPs 48 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xifsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xifsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wlsotepmgvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a01bcb09b024896cdaf5a880dd8a094.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8a01bcb09b024896cdaf5a880dd8a094.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\xifsu.exe"C:\Users\Admin\AppData\Local\Temp\xifsu.exe" "-C:\Users\Admin\AppData\Local\Temp\uqywjckjsjfzlmwm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\xifsu.exe"C:\Users\Admin\AppData\Local\Temp\xifsu.exe" "-C:\Users\Admin\AppData\Local\Temp\uqywjckjsjfzlmwm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2844
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\iiuwnkwzmhhfvaoiciee.exe"C:\Windows\iiuwnkwzmhhfvaoiciee.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\iiuwnkwzmhhfvaoiciee.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:744
-
-
-
C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe"C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\byhguoxxhzwregriz.exe*."3⤵
- Executes dropped EXE
PID:1860
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\kisshcmnyrplzcogyc.exe"C:\Windows\kisshcmnyrplzcogyc.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\kisshcmnyrplzcogyc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1456
-
-
-
C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe"C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\byhguoxxhzwregriz.exe*."3⤵
- Executes dropped EXE
PID:2480
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\vufgwsdfrlkhwangzez.exe"C:\Windows\vufgwsdfrlkhwangzez.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\vufgwsdfrlkhwangzez.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\iiuwnkwzmhhfvaoiciee.exe"C:\Users\Admin\AppData\Local\Temp\iiuwnkwzmhhfvaoiciee.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\iiuwnkwzmhhfvaoiciee.exe*."3⤵
- Executes dropped EXE
PID:2976
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\vufgwsdfrlkhwangzez.exe"C:\Windows\vufgwsdfrlkhwangzez.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\vufgwsdfrlkhwangzez.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe"C:\Users\Admin\AppData\Local\Temp\byhguoxxhzwregriz.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:764 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\byhguoxxhzwregriz.exe*."3⤵
- Executes dropped EXE
PID:1788
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\iiuwnkwzmhhfvaoiciee.exe"C:\Windows\iiuwnkwzmhhfvaoiciee.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\iiuwnkwzmhhfvaoiciee.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2304
-
-
-
C:\Users\Admin\AppData\Local\Temp\vufgwsdfrlkhwangzez.exe"C:\Users\Admin\AppData\Local\Temp\vufgwsdfrlkhwangzez.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\vufgwsdfrlkhwangzez.exe*."3⤵
- Executes dropped EXE
PID:2744
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\byhguoxxhzwregriz.exe"C:\Windows\byhguoxxhzwregriz.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\windows\byhguoxxhzwregriz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1084
-
-
-
C:\Users\Admin\AppData\Local\Temp\uqywjckjsjfzlmwm.exe"C:\Users\Admin\AppData\Local\Temp\uqywjckjsjfzlmwm.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe"C:\Users\Admin\AppData\Local\Temp\wlsotepmgvc.exe" "c:\users\admin\appdata\local\temp\uqywjckjsjfzlmwm.exe*."3⤵
- Executes dropped EXE
PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD545c838e72616d762d740c0ff72bef851
SHA15eed1d8dabcbc3f5579a919fc2175a852f984858
SHA25641536917dea7f6cc6e4cde5b23500fea04c7268fe1f1bf492eb2a19f125b8c1c
SHA5127f8e92ed2d8e0b0e38b8db3d25e6fae9978430f3ff5f16a6d7a0afa9fa26fc990f96a13f342adbd763d108588bdce4f9e705d3a268d07836a1e574b8a6ec9f7e
-
Filesize
272B
MD5e63bb8f2686925c3b01bb22466a03f16
SHA157e282fde2e08420597c1dc09d95c1133fb32dd1
SHA256e2a8dbe5fb7b9884f21c54e8adcabace8792d029ccf86ca92cf05eaffa651551
SHA5120c183fcde8cfc34096f9ea2661f97528dbb996d47abd07e4e9a676b1a80b451c7ddde08cf74715e86501fbe9d6f2f1c7042f8a32d511b820f9a08b85d7884d76
-
Filesize
272B
MD50c4b69eb8c8a1d1a3836f6a198075063
SHA17e9816ee934fbeff320d927d0202bc125ac75f6b
SHA2565a7c2b79c135d29c8b214052c5b32700f835e3d28406db5aba0bd8b4fdeb6a36
SHA51245a6d74dd6ba936642b3f19ca8bb8305eaf256a533482c7a037a858afb5031a783aa6eb21021c5d6a2f668615f1c2317dd2b658016e56e71d37d69836bd4c296
-
Filesize
3KB
MD5c48a4237533e75a1f0a93183cee059e6
SHA1c67d58fef6483aaac176237d2ab170e9e5361b1f
SHA256e201833c171256ca0b4085a63de5b77535baffd4f1130ad680dacc367c79dc34
SHA5125a20b9cbfb154cd5dcbd09c7fc096181e6de382144d2ded7e4de73278d552214a4838b10411a8dea863f3a10f92623b0df8789d807173b22f834ec18f784dc64
-
Filesize
272B
MD5137d61eabeb9a296b8c427df179aa37b
SHA1a3d57acf2da95ef7f5294ec050c9044446b981e1
SHA2564fd201d8b0e0c54c76756dc74dd9fd2ff02e3121f2c9eeb6d5cd6a426a851d1c
SHA5123ba4ac87f65a3064d0d6ad0c410191fe0f8cc35f99cb636622a0d88cec605d180474612c0963434679f4c5f075221b4bb5bb5c3e0b53ddf8dd7ad4d3efaa8e3c
-
Filesize
600KB
MD58a01bcb09b024896cdaf5a880dd8a094
SHA1fa6c9c41d673cc567b909c304380b166538f964b
SHA2561245110ba2ca69fa0e47a45237891925276be818ea7e0bb1a1ed92f4a610b004
SHA5126656722e386ec828b9b135110882da1fd2a513fd2df5fda04e28a41d6aa165dc189f71e43783a679ad86b4d42bc4631a0cf0602ad5ede30bff0f8fabe6e89d9c
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
704KB
MD589ed6abd85f688bc9fe6bbacfe172a21
SHA1ca5dae2c05eb2b25ff3d9ea6be4091e5b2d922cc
SHA256b9a639ebbc419b74496e992b69ca704692e8d9a45a6ec5f082e5f0b0dfae7c73
SHA5122ce737ea1ca1325188768efc43dba60dc268d3c3726593c4a9ab270083f1eabd924ffc791ff67037cf054fd09101d8f9abe03722d1b8d0878e40179dfc8ee6a1