Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2025, 07:53
Behavioral task
behavioral1
Sample
JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe
-
Size
720KB
-
MD5
ad7f50f41c1d9410542b2565277c0c93
-
SHA1
ec5e1fcb09fe8530b250ae286d757355ad4215a7
-
SHA256
2304b24975f5e9e4a21cd2b8af9e026f5a815eb10034e155d666ae34907b0543
-
SHA512
795049925a8c6ab53f384c3c888e41f97b6044ad6a132e52b02e60281bb354da0fa9f04d8f74219d7bd8223645f93c4d9b0af9cdf9c8699bb4bbc5597036d9b6
-
SSDEEP
12288:VXgvmzFHi0mo5aH0qMzd5807FULPJQPDHvd:VXgvOHi0mGaH0qSdPFUt4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bdkss.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe" bdkss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "ftmgshgpizrlkraqa.exe" bdkss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "btqoexankfbzcnauiqphe.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "yldwhvtbtjatrxfu.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbocirknalx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qbrirdzfvjyplp = "btqoexankfbzcnauiqphe.exe" bdkss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe -
Executes dropped EXE 2 IoCs
pid Process 3600 bdkss.exe 4924 bdkss.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bdkss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bdkss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bdkss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bdkss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bdkss.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bdkss.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ftmgshgpizrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ftmgshgpizrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "mdzwldfrnhczblxqdkiz.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "odxsfvvfzrkffnxoze.exe ." JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "zpkgulmxslfbclwoagd.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "odxsfvvfzrkffnxoze.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "yldwhvtbtjatrxfu.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "mdzwldfrnhczblxqdkiz.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "odxsfvvfzrkffnxoze.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "btqoexankfbzcnauiqphe.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ftmgshgpizrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "btqoexankfbzcnauiqphe.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "odxsfvvfzrkffnxoze.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ftmgshgpizrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "zpkgulmxslfbclwoagd.exe ." JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "ftmgshgpizrlkraqa.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "mdzwldfrnhczblxqdkiz.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpkgulmxslfbclwoagd.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yldwhvtbtjatrxfu = "ftmgshgpizrlkraqa.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "odxsfvvfzrkffnxoze.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "mdzwldfrnhczblxqdkiz.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ftmgshgpizrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yldwhvtbtjatrxfu.exe ." bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\odxsfvvfzrkffnxoze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftmgshgpizrlkraqa.exe" bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "yldwhvtbtjatrxfu.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfwoylipgvldafm = "btqoexankfbzcnauiqphe.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pzoemxsxmzndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe ." bdkss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "zpkgulmxslfbclwoagd.exe" bdkss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzncjtnrfret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odxsfvvfzrkffnxoze.exe" bdkss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdkss.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bdkss.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 whatismyip.everdot.org 32 whatismyipaddress.com 39 www.showmyipaddress.com 45 whatismyip.everdot.org 49 www.whatismyip.ca 51 whatismyip.everdot.org 56 whatismyip.everdot.org 60 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe File created C:\Windows\SysWOW64\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe File opened for modification C:\Windows\SysWOW64\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe File created C:\Windows\SysWOW64\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe File opened for modification C:\Program Files (x86)\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe File created C:\Program Files (x86)\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe File opened for modification C:\Program Files (x86)\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe File created C:\Windows\gfjollvptvydnfzavkqptyvv.zdf bdkss.exe File opened for modification C:\Windows\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe File created C:\Windows\pzoemxsxmzndybgsyypzoemxsxmzndybgsy.pzo bdkss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdkss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdkss.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings bdkss.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings bdkss.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe 4924 bdkss.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3600 bdkss.exe 4924 bdkss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4924 bdkss.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3600 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 108 PID 4988 wrote to memory of 3600 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 108 PID 4988 wrote to memory of 3600 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 108 PID 4988 wrote to memory of 4924 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 109 PID 4988 wrote to memory of 4924 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 109 PID 4988 wrote to memory of 4924 4988 JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe 109 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bdkss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bdkss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bdkss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bdkss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bdkss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ad7f50f41c1d9410542b2565277c0c93.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\bdkss.exe"C:\Users\Admin\AppData\Local\Temp\bdkss.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\bdkss.exe"C:\Users\Admin\AppData\Local\Temp\bdkss.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe1⤵PID:5852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:1692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:2392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:1296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:4740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:6100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe .1⤵PID:3452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:1188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe .1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:6020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe1⤵PID:3508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:5288
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:1552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:6116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:1092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:5948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:5240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:3816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:1952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:5964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:5396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:5172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:1536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:4676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:4892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:4920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:1208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:4748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:6100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:5056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:4836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe .1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:1988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:2804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe .1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:2792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:2524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:3344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:1596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:3488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:5548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:2004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:5824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:5908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe .1⤵PID:1640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe1⤵PID:2940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:4076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:4748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:3180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:3992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:3136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:2684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:4124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:4880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:4404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe .1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:4016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:1664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:4708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe .1⤵PID:5860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:3820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:2860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:3228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:3728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:2416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:3604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe .1⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:6096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:5312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:2008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe1⤵PID:4500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:5552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:3108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:5972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:3160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:2228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe .1⤵PID:4964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:5276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:2284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:1640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:5204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:4364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:4396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:4620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:2276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe .1⤵PID:1756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:1636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:5612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:2036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:6120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:60
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:2340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:5592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:3828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:3748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:3208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe1⤵PID:5972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:4348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe1⤵PID:3928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe .1⤵PID:4308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:4336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe1⤵PID:4300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe .1⤵PID:2988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:4408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:5580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe1⤵PID:2964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:1596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:5764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:4556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:2788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:3176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:3852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:3128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:2384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:5256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:4464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:5960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe .1⤵PID:1636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:2724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:6020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:3304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:3800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe1⤵PID:3688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:5880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe .1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:2968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:5720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btqoexankfbzcnauiqphe.exe1⤵PID:3884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe .1⤵PID:3516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:4280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftmgshgpizrlkraqa.exe1⤵PID:1052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:5876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:4456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe .1⤵PID:2404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yldwhvtbtjatrxfu.exe .1⤵PID:5948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdzwldfrnhczblxqdkiz.exe1⤵PID:4476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe .1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe1⤵PID:764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpkgulmxslfbclwoagd.exe1⤵PID:5852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftmgshgpizrlkraqa.exe .1⤵PID:4896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odxsfvvfzrkffnxoze.exe .1⤵PID:792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe1⤵PID:2292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:4920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yldwhvtbtjatrxfu.exe .1⤵PID:1532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odxsfvvfzrkffnxoze.exe1⤵PID:5300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:5380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe1⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdzwldfrnhczblxqdkiz.exe .1⤵PID:4196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btqoexankfbzcnauiqphe.exe1⤵PID:4084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpkgulmxslfbclwoagd.exe .1⤵PID:1232
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD53e55412c4f43a391fef5fed9d466c37f
SHA166f24d592194075a3480f0f2ca5786e84b2647d6
SHA256e0ec41076be1eb53bb738635f7c8dda9166880d95fe01b0c7bec01f4659009de
SHA512651b911adaabeeaf32a2ddf52d5e47787d555c82cf2f6caa376a08f736032ab56459e874e981b8293650b7e42b3428dd9d56759b3999453eee2c0d32c920c0ea
-
Filesize
280B
MD5e85752559888e3e2cfba9946f7daf734
SHA19f68d18f7b904c059ccba914fb4790b7bc3a7a57
SHA256733a5f1cd3c8df20ab95f4fce5ce301e3912638867c7ad86449f7c48182586f2
SHA51292c1bbe79523c5c4330798f368f707df60b392df7144874c413dfbf664b93bc39ec409ae45da49f5b14ac6f50e6b32a606d6e8f469c6a859ff61d0d43f5d4a9c
-
Filesize
280B
MD56376f85d34bcadc1336ba2bcbaa67c81
SHA19f65417e5b4e8217a88523b82f5f2ae07b5996c4
SHA25634101ad84b5b0f6f26594c2c60afa021412d7efa6e663ee60f0330a3dbe4fb7c
SHA512ac09b555a7b3bb50ad19bde510104c6cb8d87242aa3c658ef68e651eff946154f0a63d74291d3d14661c2d00c998cf3ea0cc8228feb841604a0a8d438c29b0fe
-
Filesize
280B
MD58dd2e8001910ab01addf9c9437d77d4c
SHA17715393355fed2016725b20fe5b929cc93813e11
SHA256449182133e2aeb41ecf670fd69e031c7a8c8e0a5e953a26fec05ea4efd07d66d
SHA512e73cf1e1495ee9e8c21bd9237ebc40ac0d1ba213110ec7108c95a537c220a7d947f0912499f530ea1107cbef4c6f7f228e6b7c90caf9157bc39d639e99a7d58f
-
Filesize
280B
MD55e4b16377b0cdee1a200d6d04940a75c
SHA18aea2ca05eed9ddeb8ec9ef95cdf144584e95f70
SHA256e37ad1f7bfe7a6629ba51f119c884303939ca06f722db81d3a509d08bdf6a879
SHA5125f31f35fdde5c53c180c06867810fc7ed67bfb25f2b5f2923061c652e9438c38267dea3df47d01a36921c688588e2733d123d02f7df413e5172ee32f25e644c3
-
Filesize
280B
MD5e38917633a051ff08a8e59e5f0bd35cb
SHA1789b62c8c75b7fcb3f1bef8d002b7ce9a18c6e4f
SHA256fd022cdc04db9811fcf5394dc496ce0e4eded1d343144e7bde679286bb6260ed
SHA512baa0cb16aba4f05e65a49e475c6262f169bc0743764fb778b54c04713cb0de9d65ed4db6564357a1cf306364f1303f046d15bee948c565709f18b3ee3be3bea0
-
Filesize
1.3MB
MD5b3f5515cb112346250cfdc140121be1d
SHA1284092b1e94e38325e180710f825aaddf3cda552
SHA25641a3090bc788386fcd6dc186ab09d56d856568fd8a08c46516b23dbd004d3b76
SHA512e7439e545572b96495b9d39bc25f9d7dc6d66f7d5e1ca34a3b61733e45820bcdf7c09daebac668e7260df5f1a8a6f113ab4122690fe126a51f6aac46a2f43bd0
-
Filesize
1.3MB
MD5cc36a4be8ad407c3d9223cf71f08dd45
SHA1f98691efa8a53dba52198469c96055b10a42376b
SHA256705f4d273dd9474bfc93e310c4b38eafdd945d65ce67fe43bcf5eddf8b0c857b
SHA5124051e89831a9318191f9eae1ed6cf6bc8733e0cad10e2c614ffab453bfb30162d761cfa854e14e8d51cd718846a85bd7b4f62bd4755a2bd4f0792b13a564fa0a
-
Filesize
280B
MD5281881506ca1f1b9a87b3924bebf5a44
SHA1b10373993d810d7e99ebbce5a1a82ca77f46c800
SHA256d04d4811111467a3a30aa77361df7508c67a7034e321ed973892ce6d5d9072c3
SHA512f8d7a4d25c75b0d52df9a3bee158be5be759918b78d9bf881385b7258044a937d263c6ff2e14b7fa4d389fe8abf263615702b50600fe29125eede3bd119e10a7
-
Filesize
280B
MD5001cc70baba0717b63063b2b2561c327
SHA196d389bb5bd6a6a1856f07bedc7ea5e8d11cacdb
SHA2568f775c658d679cfa569b1d772b48214bd6a89b11c4a7b3e32d45bd5e39254ece
SHA512b6860ae5ac93f2d265997d3a1a7692d884a108fd7d98e6ea95d259f44155d0992bf067348141e8ebae5ce1ac2547dbe7d3be53c3f7370b5dcd73717220b42938
-
Filesize
4KB
MD5d5b95fe95679e5decb1bdc8c7e10bc43
SHA19a58efa1d551bb3086312fd3e64abd29174877f2
SHA256deee563429823e7705baee1ba2aed4a0a5a0dafda0c233a13387db1892e26a21
SHA512cc29c9097ba7f6b7d30e9d6f72b5979bbf11b65c680508c52a5efdb06f31446fddb35781b0dbdad870dae5c39db03b9cc70bd85c92b0d73e3ff5c6bb77077663