Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2025, 17:22
Behavioral task
behavioral1
Sample
JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe
-
Size
320KB
-
MD5
af48005ddcc2ad191061f65097eff80b
-
SHA1
34fcb5d6a5027acad095d88536743b90cca1219f
-
SHA256
301cd9d85ace67c1d56b5a62afe74a059deca953f17295f1a687408c6e761cd8
-
SHA512
59996b2b0c84bfc46edefa4847536d1878ffdddd40976c7aff003f01320b4c9d08bbe2deefaf02376dcc2b7072db436959f8bdf86401046e416ebee5f86519a5
-
SSDEEP
6144:PTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:LXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xdmqwjn.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral1/files/0x000700000002420e-8.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "dtmaqnbsmxwikucbb.exe" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xdmqwjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wldqfboexhfqrahf.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfryhxeobf = "wldqfboexhfqrahf.exe" xdmqwjn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe -
Executes dropped EXE 2 IoCs
pid Process 5460 xdmqwjn.exe 5976 xdmqwjn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xdmqwjn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xdmqwjn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xdmqwjn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xdmqwjn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xdmqwjn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xdmqwjn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbowgxfqejc = "mdxmdbqidppcfqzzav.exe" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbowgxfqejc = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wldqfboexhfqrahf.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wldqfboexhfqrahf.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbowgxfqejc = "kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe ." JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "kdzqjjaurfhwbozbebgz.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbowgxfqejc = "mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "xpkasrhawjkycoyzbxb.exe ." JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "mdxmdbqidppcfqzzav.exe" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wldqfboexhfqrahf.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "kdzqjjaurfhwbozbebgz.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "ztqicdvqodgwcqcfjhnhe.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "mdxmdbqidppcfqzzav.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wldqfboexhfqrahf.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbowgxfqejc = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "ztqicdvqodgwcqcfjhnhe.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "wldqfboexhfqrahf.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "dtmaqnbsmxwikucbb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "dtmaqnbsmxwikucbb.exe ." JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "xpkasrhawjkycoyzbxb.exe" xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznwhziujpjq = "wldqfboexhfqrahf.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdxmdbqidppcfqzzav.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtmaqnbsmxwikucbb.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztqicdvqodgwcqcfjhnhe.exe ." xdmqwjn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtdipdiq = "wldqfboexhfqrahf.exe" xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dlwckzfoa = "wldqfboexhfqrahf.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzoykdnaqxsay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpkasrhawjkycoyzbxb.exe ." xdmqwjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obrcpjuizhdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kdzqjjaurfhwbozbebgz.exe" xdmqwjn.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xdmqwjn.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyip.everdot.org 17 whatismyipaddress.com 20 www.whatismyip.ca 23 www.showmyipaddress.com 30 www.whatismyip.ca 34 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe File created C:\Windows\SysWOW64\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe File opened for modification C:\Windows\SysWOW64\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe File created C:\Windows\SysWOW64\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe File created C:\Program Files (x86)\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe File opened for modification C:\Program Files (x86)\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe File created C:\Program Files (x86)\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe File created C:\Windows\nzoykdnaqxsayeidzpnzoykdnaqxsayeidz.nzo xdmqwjn.exe File opened for modification C:\Windows\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe File created C:\Windows\efjijrqsxtdaniblwboptstb.chd xdmqwjn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdmqwjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdmqwjn.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings xdmqwjn.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings xdmqwjn.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe 5460 xdmqwjn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5976 xdmqwjn.exe 5460 xdmqwjn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5460 xdmqwjn.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3412 wrote to memory of 5460 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 105 PID 3412 wrote to memory of 5460 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 105 PID 3412 wrote to memory of 5460 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 105 PID 3412 wrote to memory of 5976 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 106 PID 3412 wrote to memory of 5976 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 106 PID 3412 wrote to memory of 5976 3412 JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe 106 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xdmqwjn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af48005ddcc2ad191061f65097eff80b.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\xdmqwjn.exe"C:\Users\Admin\AppData\Local\Temp\xdmqwjn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5460
-
-
C:\Users\Admin\AppData\Local\Temp\xdmqwjn.exe"C:\Users\Admin\AppData\Local\Temp\xdmqwjn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:5564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe1⤵PID:4596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:3552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe1⤵PID:5936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:4832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:5116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:1068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:5848
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:2596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:4500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:3208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:3596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe1⤵PID:2164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:2232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:3988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:5436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:1144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:3964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:4192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe1⤵PID:6064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:1260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:5528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:2344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:4088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:4220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe1⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:4728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:3832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe1⤵PID:1664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:2312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:1068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:2484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:3268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:5828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:5728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:2168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:1468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:5816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:1640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:5696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:1960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:3712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:5180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:4568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:5564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:3152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:4052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:3904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:3144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:6004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:4716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:4556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:3272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:4892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:4996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:5300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:4340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:3044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:1316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:2144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:5940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:5960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:1584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:2944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:3344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:5452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:1380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe .1⤵PID:5704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:1556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:3244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:1564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe1⤵PID:3804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:6064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:3464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe1⤵PID:3180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe .1⤵PID:5740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:1332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe1⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:3028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:8
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:4396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:1220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:1688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe1⤵PID:5016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdxmdbqidppcfqzzav.exe .1⤵PID:5748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:3268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe1⤵PID:2324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:5440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:3404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:1316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:5484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe1⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:3596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:6044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:5296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:5600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:5496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:1276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:4344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:2932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:1640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:5520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:5980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:5760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:2092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:5588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe .1⤵PID:3820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:5736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xpkasrhawjkycoyzbxb.exe .1⤵PID:5664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:5740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:4424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:2772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:3604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztqicdvqodgwcqcfjhnhe.exe1⤵PID:5688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:8
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xpkasrhawjkycoyzbxb.exe .1⤵PID:3644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kdzqjjaurfhwbozbebgz.exe .1⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:6004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe .1⤵PID:4540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:3832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:1148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:2312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe1⤵PID:2328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wldqfboexhfqrahf.exe .1⤵PID:3164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe1⤵PID:1712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:5692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:5592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe .1⤵PID:4300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtmaqnbsmxwikucbb.exe1⤵PID:3648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztqicdvqodgwcqcfjhnhe.exe1⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtmaqnbsmxwikucbb.exe .1⤵PID:2612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe1⤵PID:5132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:3112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kdzqjjaurfhwbozbebgz.exe .1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe .1⤵PID:6044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdxmdbqidppcfqzzav.exe1⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wldqfboexhfqrahf.exe .1⤵PID:764
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD50172a958cccea9d7fabb21d505e05c96
SHA18fb3775ad0ee489fc2d81baaf3a460d8d781ff96
SHA256ba96f9d2306ad89df01165403f9ad6361812a4d25e3f6f5e90b55c693485eba3
SHA512b83794fad99d4a8c41e1fc840c1957e2c0850fa97eb70a6af1fa417ffb798d39227b8b988dc6f2b1de7b478dbbb8beff87a45aba03d4f1165c3f916acdd6bb45
-
Filesize
280B
MD5ddff2b8bcb7a13a19ef6fc4be509c057
SHA13ae3c9e2b4bb41e2bc89c9e8003dd8b111f9d76f
SHA25658bd6de0d736c4d9683544678836be003224a994b37b54c6e7aa9e7863d71002
SHA512ec6b9a2ed13ea000a9e0af7933646c2d7ee45d6a225d61e59c27dbe11a03af99d33b0228dacf1401837e5b679325ef49d39e9c0ba97bf5b01c74d602678e736d
-
Filesize
280B
MD5740461c68e6d187d5908fc8eb7c4e646
SHA1dbca15144bb7145721ed630086d1088ad4bac4e8
SHA25619ee10daa4731d90cbfa2fe8d0e93708fab64d03aceef42500c70bded7ebabdd
SHA5122f8225771cee1ab5e2d2962db2057b7e301247dded887bc8489fff12a2e18ec298dcf2c720e305b5736fcb71b491ab6d6b6d145f99eae4fb46693602abca9b40
-
Filesize
280B
MD517414509c61f3b35f8987a1531947e29
SHA1150c29fb876e7afd6f65083c970499a666bffbef
SHA256527277459bf5e7c125c7767b278354a98a40dff67f651e438e013e324174770c
SHA512fb000b1487ca333478307e4990ff2e70e17edea681748db805b2896a1ac4c6d9ac36c16d850b123972b155a017c40d671c2a2a38cf71c0a615dd370834b10e70
-
Filesize
280B
MD5e8e9ddf61af47cc8437fb035c13341ae
SHA1aae8f4719e14e2da823ecf904e92bf3ab9b219ee
SHA256fe35504180e69ab28218d70c6e343dfa31c974c95233eb45c8521204d75079a8
SHA512881e8eb464e3bd6bac23f57653250c2ee94563deaf1387d218d73e695d66431a690b766d23061f0efc7fc9c2cfd7f916ecbb0c974aee824989073bc266eca29f
-
Filesize
280B
MD5c7bf79307be3f4c0f51ea554ec376e30
SHA1d3a2c67183b00522c847690c6d916c2ae2634fdb
SHA25672776db7dc24a89d84ce435921ed20980b33da49f4182018c4f2c22f8452779f
SHA512170c356487a829a32bc52f3c2fb93ecc682200d066432e8dc91b2cd22d230644133e50b8f38d0b172ed93a646dc36726d7d338df7162b3e07326487211479b29
-
Filesize
280B
MD531ca338090fecaa26088a1177df80ea6
SHA1deb8058b521b0c151d0a5abd20e48413aee1da92
SHA256cccba2bc40c40ce691d0c7087a081c46104b68cab5b8825290d6e278ba64879a
SHA5128bbd9ca02adf72b70ca00e4afcd4d19531d7a3fcb734f132b25e2f405edc58102f00c32aff8c16c9166da09b6dbc57aef9e90e63679f21c389ac348757f56cd4
-
Filesize
712KB
MD5b5b49d49bff690fe7c68493ee278d0a5
SHA14b9d169804c5195158fbf7207d1111d900c309ae
SHA256423ac788da79008753b7aa7d8d6c7e726e94186caf69f36266d2304862ae677a
SHA512b4bbb4e13c7d38fcf6cf20444f5de560df37ef9929bb7973bc4bd65f0f16b88a229549985302bf9532f39dc2d8da1fcb574899de26a5dcadbb4cfd1ce0ee39ab
-
Filesize
280B
MD53509762183ce1608d5a53a9dc0fab7f7
SHA1f21e281fae1aef4bb103b3206177a9e22873873d
SHA2565817a256791d707df5b8a06138f21ff5dac24918322286ec83c31a474429cd3f
SHA512d9719e5bc85046c9b4a7dba40cc104ce951f0c422059d1bd5a6c5fbd73ccc82b46424f1593324a2b95da351e049a269461c1b0ef312538a496222c310cb42318
-
Filesize
4KB
MD52e4d1822735e56a5a17633f70503ad44
SHA17410a4a931d7cdc9284d6114e60e3f09a3440291
SHA2565ef5e01163bccb42baec5078bfbecefdb0036ad756123d10f91e7b03efd3dda7
SHA51246a2cb7941d39983439a21df45bd903dc38b6960dcf7de6174a550b10db51dfb7104e7b2e126c169d08e38e8f2487482ba36ff476775e02d0b531dc4aa65b456