pykspa | c26f5632fb49cb95cf5f29e95b8973e1a246ba425258a6b4cce07fe00a142bb9

Analysis

max time kernel
22s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
Size

496KB
MD5

8e7dcdbbca7e276cd14b97d88d2b92ca
SHA1

c1f04482270dd3685f0f4fe90d049bb0b1604614
SHA256

c26f5632fb49cb95cf5f29e95b8973e1a246ba425258a6b4cce07fe00a142bb9
SHA512

6388db8ca9165abee847a5403caa49d4af891ee769a89bdf6930e6b9da25599854c854a8151410ad3fe30fb8b6ce4cb23fa23d7a905b79f9c9c74884d9dfeb09
SSDEEP

6144:yj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdriongp+:g6onxOp8FySpE5zvIdtU+Ymef7

Score

10^/10

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ltvhen.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 13 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltvhen.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x000c00000001202c-2.dat	family_pykspa
behavioral1/files/0x0005000000018744-61.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "xpbxexnauicufmrr.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "lhxxifzqogeapajnoohd.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exkhpjaojytmygmnl.exe"	tgmoojbsdqw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "exkhpjaojytmygmnl.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pdldgvhqgqgu = "exkhpjaojytmygmnl.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\epujjvekx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe"	ltvhen.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe

Executes dropped EXE 7 IoCs

pid	Process
2860	tgmoojbsdqw.exe
2700	ltvhen.exe
2064	ltvhen.exe
2896	axopbzumledaqcmrtuolc.exe
1576	axopbzumledaqcmrtuolc.exe
1844	tgmoojbsdqw.exe
2060	tgmoojbsdqw.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	ltvhen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ltvhen.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ltvhen.exe

Loads dropped DLL 10 IoCs

pid	Process
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2860	tgmoojbsdqw.exe
2860	tgmoojbsdqw.exe
2860	tgmoojbsdqw.exe
2860	tgmoojbsdqw.exe
1576	axopbzumledaqcmrtuolc.exe
2896	axopbzumledaqcmrtuolc.exe
2896	axopbzumledaqcmrtuolc.exe
1576	axopbzumledaqcmrtuolc.exe

Adds Run key to start application 2 TTPs 43 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "nhvtcxpeaqmgtcjlki.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sjupvncohuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytihrngwtkhcqaillkc.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "nhvtcxpeaqmgtcjlki.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exkhpjaojytmygmnl.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpbxexnauicufmrr.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sjupvncohuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exkhpjaojytmygmnl.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "axopbzumledaqcmrtuolc.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axopbzumledaqcmrtuolc.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "nhvtcxpeaqmgtcjlki.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "xpbxexnauicufmrr.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sjupvncohuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\odmfjzmwnypem = "axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\odmfjzmwnypem = "nhvtcxpeaqmgtcjlki.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "ytihrngwtkhcqaillkc.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "lhxxifzqogeapajnoohd.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytihrngwtkhcqaillkc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvtcxpeaqmgtcjlki.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvtcxpeaqmgtcjlki.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exkhpjaojytmygmnl.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhxxifzqogeapajnoohd.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "ytihrngwtkhcqaillkc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\odmfjzmwnypem = "axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytihrngwtkhcqaillkc.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvtcxpeaqmgtcjlki.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "lhxxifzqogeapajnoohd.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "xpbxexnauicufmrr.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sjupvncohuneouy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exkhpjaojytmygmnl.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytihrngwtkhcqaillkc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "ytihrngwtkhcqaillkc.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "nhvtcxpeaqmgtcjlki.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\odmfjzmwnypem = "ytihrngwtkhcqaillkc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\odmfjzmwnypem = "exkhpjaojytmygmnl.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvtcxpeaqmgtcjlki.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpbxexnauicufmrr.exe"	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axopbzumledaqcmrtuolc.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "exkhpjaojytmygmnl.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "nhvtcxpeaqmgtcjlki.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\xjpfgtdkyg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axopbzumledaqcmrtuolc.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xpbxexnauicufmrr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpbxexnauicufmrr.exe"	ltvhen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "lhxxifzqogeapajnoohd.exe ."	tgmoojbsdqw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sfmdftembkz = "xpbxexnauicufmrr.exe ."	ltvhen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfpjoftewiaqze = "axopbzumledaqcmrtuolc.exe ."	ltvhen.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ltvhen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	tgmoojbsdqw.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	www.whatismyip.ca
10	www.showmyipaddress.com
3	whatismyipaddress.com
5	whatismyip.everdot.org

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\exkhpjaojytmygmnl.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\lhxxifzqogeapajnoohd.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\exkhpjaojytmygmnl.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\axopbzumledaqcmrtuolc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\exkhpjaojytmygmnl.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\nhvtcxpeaqmgtcjlki.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\rphjwvrkkeectgrxacxvnp.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\rphjwvrkkeectgrxacxvnp.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\nhvtcxpeaqmgtcjlki.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\axopbzumledaqcmrtuolc.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\ytihrngwtkhcqaillkc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\xpbxexnauicufmrr.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\xpbxexnauicufmrr.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\axopbzumledaqcmrtuolc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\ytihrngwtkhcqaillkc.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\ytihrngwtkhcqaillkc.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File created	C:\Windows\SysWOW64\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\lhxxifzqogeapajnoohd.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\nhvtcxpeaqmgtcjlki.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\lhxxifzqogeapajnoohd.exe	ltvhen.exe
File created	C:\Windows\SysWOW64\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\ytihrngwtkhcqaillkc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\exkhpjaojytmygmnl.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\axopbzumledaqcmrtuolc.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\nhvtcxpeaqmgtcjlki.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\xpbxexnauicufmrr.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\lhxxifzqogeapajnoohd.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\rphjwvrkkeectgrxacxvnp.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\SysWOW64\rphjwvrkkeectgrxacxvnp.exe	ltvhen.exe
File opened for modification	C:\Windows\SysWOW64\xpbxexnauicufmrr.exe	tgmoojbsdqw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File created	C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File opened for modification	C:\Program Files (x86)\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe
File created	C:\Program Files (x86)\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\axopbzumledaqcmrtuolc.exe	ltvhen.exe
File opened for modification	C:\Windows\rphjwvrkkeectgrxacxvnp.exe	ltvhen.exe
File opened for modification	C:\Windows\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File opened for modification	C:\Windows\exkhpjaojytmygmnl.exe	ltvhen.exe
File opened for modification	C:\Windows\nhvtcxpeaqmgtcjlki.exe	ltvhen.exe
File opened for modification	C:\Windows\axopbzumledaqcmrtuolc.exe	ltvhen.exe
File opened for modification	C:\Windows\xpbxexnauicufmrr.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\nhvtcxpeaqmgtcjlki.exe	ltvhen.exe
File opened for modification	C:\Windows\lhxxifzqogeapajnoohd.exe	ltvhen.exe
File opened for modification	C:\Windows\rphjwvrkkeectgrxacxvnp.exe	ltvhen.exe
File opened for modification	C:\Windows\lhxxifzqogeapajnoohd.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\rphjwvrkkeectgrxacxvnp.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\nhvtcxpeaqmgtcjlki.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\exkhpjaojytmygmnl.exe	ltvhen.exe
File created	C:\Windows\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe
File opened for modification	C:\Windows\exkhpjaojytmygmnl.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\nhvtcxpeaqmgtcjlki.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\axopbzumledaqcmrtuolc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\xpbxexnauicufmrr.exe	ltvhen.exe
File opened for modification	C:\Windows\xpbxexnauicufmrr.exe	ltvhen.exe
File created	C:\Windows\fjhpinpouuaebulxgoptrzsx.yee	ltvhen.exe
File opened for modification	C:\Windows\ytihrngwtkhcqaillkc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\exkhpjaojytmygmnl.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\ytihrngwtkhcqaillkc.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\lhxxifzqogeapajnoohd.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\ytihrngwtkhcqaillkc.exe	ltvhen.exe
File opened for modification	C:\Windows\xpbxexnauicufmrr.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\rphjwvrkkeectgrxacxvnp.exe	tgmoojbsdqw.exe
File opened for modification	C:\Windows\ytihrngwtkhcqaillkc.exe	ltvhen.exe
File opened for modification	C:\Windows\lhxxifzqogeapajnoohd.exe	ltvhen.exe
File opened for modification	C:\Windows\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm	ltvhen.exe
File opened for modification	C:\Windows\axopbzumledaqcmrtuolc.exe	tgmoojbsdqw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgmoojbsdqw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltvhen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axopbzumledaqcmrtuolc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axopbzumledaqcmrtuolc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
2700	ltvhen.exe
2700	ltvhen.exe
2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	ltvhen.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2228	explorer.exe
Token: SeShutdownPrivilege	2788	explorer.exe
Token: SeShutdownPrivilege	2788	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2860	2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe	30
PID 2856 wrote to memory of 2860	2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe	30
PID 2856 wrote to memory of 2860	2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe	30
PID 2856 wrote to memory of 2860	2856	JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe	30
PID 2860 wrote to memory of 2700	2860	tgmoojbsdqw.exe	31
PID 2860 wrote to memory of 2700	2860	tgmoojbsdqw.exe	31
PID 2860 wrote to memory of 2700	2860	tgmoojbsdqw.exe	31
PID 2860 wrote to memory of 2700	2860	tgmoojbsdqw.exe	31
PID 2860 wrote to memory of 2064	2860	tgmoojbsdqw.exe	32
PID 2860 wrote to memory of 2064	2860	tgmoojbsdqw.exe	32
PID 2860 wrote to memory of 2064	2860	tgmoojbsdqw.exe	32
PID 2860 wrote to memory of 2064	2860	tgmoojbsdqw.exe	32
PID 2228 wrote to memory of 2896	2228	explorer.exe	34
PID 2228 wrote to memory of 2896	2228	explorer.exe	34
PID 2228 wrote to memory of 2896	2228	explorer.exe	34
PID 2228 wrote to memory of 2896	2228	explorer.exe	34
PID 2228 wrote to memory of 1576	2228	explorer.exe	35
PID 2228 wrote to memory of 1576	2228	explorer.exe	35
PID 2228 wrote to memory of 1576	2228	explorer.exe	35
PID 2228 wrote to memory of 1576	2228	explorer.exe	35
PID 2896 wrote to memory of 1844	2896	axopbzumledaqcmrtuolc.exe	37
PID 2896 wrote to memory of 1844	2896	axopbzumledaqcmrtuolc.exe	37
PID 2896 wrote to memory of 1844	2896	axopbzumledaqcmrtuolc.exe	37
PID 2896 wrote to memory of 1844	2896	axopbzumledaqcmrtuolc.exe	37
PID 1576 wrote to memory of 2060	1576	axopbzumledaqcmrtuolc.exe	36
PID 1576 wrote to memory of 2060	1576	axopbzumledaqcmrtuolc.exe	36
PID 1576 wrote to memory of 2060	1576	axopbzumledaqcmrtuolc.exe	36
PID 1576 wrote to memory of 2060	1576	axopbzumledaqcmrtuolc.exe	36

System policy modification 1 TTPs 38 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	tgmoojbsdqw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltvhen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tgmoojbsdqw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ltvhen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ltvhen.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
  "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\ltvhen.exe
    "C:\Users\Admin\AppData\Local\Temp\ltvhen.exe" "-C:\Users\Admin\AppData\Local\Temp\xpbxexnauicufmrr.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\ltvhen.exe
    "C:\Users\Admin\AppData\Local\Temp\ltvhen.exe" "-C:\Users\Admin\AppData\Local\Temp\xpbxexnauicufmrr.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2064
- C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
  "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8e7dcdbbca7e276cd14b97d88d2b92ca.exe"
  2⤵
  PID:2444

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\axopbzumledaqcmrtuolc.exe
  "C:\Windows\axopbzumledaqcmrtuolc.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\axopbzumledaqcmrtuolc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1844
- C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe
  "C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\axopbzumledaqcmrtuolc.exe*."
    3⤵
    - Executes dropped EXE
    PID:2060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:2788
- C:\Windows\nhvtcxpeaqmgtcjlki.exe
  "C:\Windows\nhvtcxpeaqmgtcjlki.exe" .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\nhvtcxpeaqmgtcjlki.exe*."
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe
  "C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:2680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1316
- C:\Windows\lhxxifzqogeapajnoohd.exe
  "C:\Windows\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:288
- C:\Users\Admin\AppData\Local\Temp\nhvtcxpeaqmgtcjlki.exe
  "C:\Users\Admin\AppData\Local\Temp\nhvtcxpeaqmgtcjlki.exe" .
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\nhvtcxpeaqmgtcjlki.exe*."
    3⤵
    PID:1740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:908
- C:\Windows\xpbxexnauicufmrr.exe
  "C:\Windows\xpbxexnauicufmrr.exe" .
  2⤵
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\xpbxexnauicufmrr.exe*."
    3⤵
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\exkhpjaojytmygmnl.exe
  "C:\Users\Admin\AppData\Local\Temp\exkhpjaojytmygmnl.exe" .
  2⤵
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\exkhpjaojytmygmnl.exe*."
    3⤵
    PID:1588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1748
- C:\Windows\lhxxifzqogeapajnoohd.exe
  "C:\Windows\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe
  "C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:2640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1020
- C:\Windows\nhvtcxpeaqmgtcjlki.exe
  "C:\Windows\nhvtcxpeaqmgtcjlki.exe" .
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\nhvtcxpeaqmgtcjlki.exe*."
    3⤵
    PID:1168
- C:\Users\Admin\AppData\Local\Temp\exkhpjaojytmygmnl.exe
  "C:\Users\Admin\AppData\Local\Temp\exkhpjaojytmygmnl.exe" .
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\exkhpjaojytmygmnl.exe*."
    3⤵
    PID:2464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:600
- C:\Windows\axopbzumledaqcmrtuolc.exe
  "C:\Windows\axopbzumledaqcmrtuolc.exe" .
  2⤵
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\axopbzumledaqcmrtuolc.exe*."
    3⤵
    PID:604
- C:\Users\Admin\AppData\Local\Temp\ytihrngwtkhcqaillkc.exe
  "C:\Users\Admin\AppData\Local\Temp\ytihrngwtkhcqaillkc.exe" .
  2⤵
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\ytihrngwtkhcqaillkc.exe*."
    3⤵
    PID:1316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1896
- C:\Windows\ytihrngwtkhcqaillkc.exe
  "C:\Windows\ytihrngwtkhcqaillkc.exe" .
  2⤵
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\ytihrngwtkhcqaillkc.exe*."
    3⤵
    PID:1840
- C:\Users\Admin\AppData\Local\Temp\ytihrngwtkhcqaillkc.exe
  "C:\Users\Admin\AppData\Local\Temp\ytihrngwtkhcqaillkc.exe" .
  2⤵
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\ytihrngwtkhcqaillkc.exe*."
    3⤵
    PID:1984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2204
- C:\Windows\ytihrngwtkhcqaillkc.exe
  "C:\Windows\ytihrngwtkhcqaillkc.exe" .
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\ytihrngwtkhcqaillkc.exe*."
    3⤵
    PID:1744
- C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe
  "C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe" .
  2⤵
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\axopbzumledaqcmrtuolc.exe*."
    3⤵
    PID:1596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2632
- C:\Windows\lhxxifzqogeapajnoohd.exe
  "C:\Windows\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe
  "C:\Users\Admin\AppData\Local\Temp\axopbzumledaqcmrtuolc.exe" .
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\axopbzumledaqcmrtuolc.exe*."
    3⤵
    PID:1512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688
- C:\Windows\nhvtcxpeaqmgtcjlki.exe
  "C:\Windows\nhvtcxpeaqmgtcjlki.exe" .
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\windows\nhvtcxpeaqmgtcjlki.exe*."
    3⤵
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe
  "C:\Users\Admin\AppData\Local\Temp\lhxxifzqogeapajnoohd.exe" .
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe
    "C:\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe" "c:\users\admin\appdata\local\temp\lhxxifzqogeapajnoohd.exe*."
    3⤵
    PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
87aa3ba0da167a6b9b65134de5ce369e

SHA1
bc91bd905730d7b3bacf1767d00cfe9fb52c5058

SHA256
f3fa9b86cffb83e2626cd9a4bb3068cf0a299aa812a4788ecd41c21f49316c68

SHA512
872d119094cec29a0e849fef2aae495b91845611b928fe0e22cd1a8a61c9520aef89a0cf8580844e1996eba003c5727d90c6163510e7fa464ffa2bffb7bf0c3d

Download Submit
C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
440a51c97d6d23242c6a6f351ddbb1cd

SHA1
b2d35873b40fb8036670b9948d4de1d39cb4c2df

SHA256
3efad29b54a695ea647c6920e1886cfcda253d1e04f9517f2f6444ee1f947667

SHA512
34d518dedbda05e0e305afd0e1d5dd33c137ad61abc39e9a0a7bc39989f05746daffbb234b5fb0281cc7f8086e275ea07098c5ebb958b66b9aa3d370913a1b4b

Download Submit
C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
ec6e1736c3f66417c2f761c4d30089cd

SHA1
ffc557afbac3903d8fd84dff1e8aedfcddcbaac8

SHA256
25b7562a47086db43a6b01cce5116ef3a1be1f08ac12effaf34382fd6dedae56

SHA512
4d4a54455e41de7826881595c7ef39c90790333d79c4433413a75404d6932d3c7a7c1c15800ef748595808fb294af01cbb9584e5adbdc552d7615befe7c20da2

Download Submit
C:\Program Files (x86)\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
dd9a28805c1a1626d4d8e46438b670f3

SHA1
c7dabe99ed347b82fb00724aa3b3a3dc04692024

SHA256
8f9e4706d999b38874ced066500f366ddb4b443952afe2a3f06794dc06320453

SHA512
6f85c4464f7ca57dc07e70d34ef248ac1893787ada18efff7df1a6fbbab6383bc25560ff0165088f5908798e8c5f06c94ebd8244d8b27cd080657c381eb3558d

Download Submit
C:\Users\Admin\AppData\Local\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
275a0c8851271bf188c15ad9895bdcde

SHA1
491a0f45620a4536281314f9b7311e5df9199b26

SHA256
bad4c58457f91b4497fe27ff3aa285d77dbce44eb18dd1597e0d17c040b4781f

SHA512
72117f81d5e25b3e87cfbb4f5a7dbbbfdca2e71e34852c104238ad8e496d2f50c481fe4826942442304f50f2829c6f7ddd525f280e9ccfade18e359c2ddadc6c

Download Submit
C:\Users\Admin\AppData\Local\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
045bb95ea9ba109489276384ea70d6eb

SHA1
627c92a495ddd36d5eeb36684525e7acca8b24ad

SHA256
f4116334d947f1cc21b97cfb2378fa7357819fa66594ac3569f8bccdf8ce5609

SHA512
0891d8e341042c6dc64714598a9997699ab5a4382ad6388f1e6b1ff54492b5b8a6dd961b710a3d2566a8e17f34c1d906503305ce53ecfe39d13b718ad4e1e5d9

Download Submit
C:\Users\Admin\AppData\Local\fjhpinpouuaebulxgoptrzsx.yee

Filesize
272B

MD5
96b22f2ed9f03e206dc872605ca01228

SHA1
a0cc4dd3ea5a7ec2fcc6625add77d91d29601ac0

SHA256
1e17151b34398c49de017f2b58b9a35aa15b4227fe7125ddc3f119cfdb599410

SHA512
30095e65a2359712c04a0b97c5dd8ebe6a33c9ab62e29a7f91c3d5934f0955eeb4513cca48bb8d4fe693456f46fb0102ff74befcba7ef15bd4e9675b80062939

Download Submit
C:\Users\Admin\AppData\Local\odmfjzmwnypemqspjcodmfjzmwnypemqspj.odm

Filesize
3KB

MD5
630bf42772d06571a0d4f56282236f2e

SHA1
54fdaa0f4a640387b1ce925a6ffa77edd5e4aa7e

SHA256
bcddc79bde63bea5a54c3303c4e94d5f9cbc0790f07f49fd7bd30d35eed1dc30

SHA512
602ea10b7fad358cf397f6a2c95b774d32b45d6ccf8452630cd541d92c5e1b2bbe252c48a422c06484d9fa29bf40711e4dc71b7b7d87a3e7e0d3000fc4592361

Download Submit
C:\Windows\SysWOW64\nhvtcxpeaqmgtcjlki.exe

Filesize
496KB

MD5
8e7dcdbbca7e276cd14b97d88d2b92ca

SHA1
c1f04482270dd3685f0f4fe90d049bb0b1604614

SHA256
c26f5632fb49cb95cf5f29e95b8973e1a246ba425258a6b4cce07fe00a142bb9

SHA512
6388db8ca9165abee847a5403caa49d4af891ee769a89bdf6930e6b9da25599854c854a8151410ad3fe30fb8b6ce4cb23fa23d7a905b79f9c9c74884d9dfeb09

Download Submit
\Users\Admin\AppData\Local\Temp\ltvhen.exe

Filesize
716KB

MD5
6b7ee1bbe719218756487239a8bc6f5d

SHA1
4469a7fe273327d1554c6af671bd58b7777894f7

SHA256
85779261e19181dbf017ab122b1132a678156229cda04e08a8cd460dfb10ab89

SHA512
7c40194e2298a7b2bc9f7cfb709f15353c9d1111746e550de90340344ec3a93f8f6d6b3a5c8d95bc2c9f71a4fa0e172571630adab3a6c250a23aaf12d01432b8

Download Submit
\Users\Admin\AppData\Local\Temp\tgmoojbsdqw.exe

Filesize
320KB

MD5
5203b6ea0901877fbf2d8d6f6d8d338e

SHA1
c803e92561921b38abe13239c1fd85605b570936

SHA256
0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

SHA512
d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

Download Submit
memory/600-401-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1896-435-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/2228-186-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2632-499-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download