Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 00:50
Behavioral task
behavioral1
Sample
JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe
-
Size
320KB
-
MD5
b08d498e51aef841f6c272ad42e9a028
-
SHA1
2e3cca8351bedaa59422dcf19a7b7708b8d5cc65
-
SHA256
cf415e21ed6dee9713e1c4687e77a6034b0792bdc8dee245b3eeb900278552b5
-
SHA512
4bd556a25b796452b11f782729d35a79027c486e8ad4c270a8d46c44d799548c895b06776f47615128d4373ce6bbf40d757e703b7121fbd1725e10f33df82977
-
SSDEEP
6144:uTw1o1IV3puaibGKFHi0mofhaH05kipz016580bHFP86JQPDHDdx/QtqR:wTgvmzFHi0mo5aH0qMzd5807FPPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcqtxds.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral1/files/0x00090000000242c2-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "voodtlmwtjkycoyzbxz.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkafltkkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myrzitnqgpjq = "ukhtgvtauhfqrahf.exe" vcqtxds.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe -
Executes dropped EXE 2 IoCs
pid Process 4616 vcqtxds.exe 4696 vcqtxds.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vcqtxds.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vcqtxds.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vcqtxds.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vcqtxds.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vcqtxds.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vcqtxds.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "icdtkdfqofhwbozbebey.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "icdtkdfqofhwbozbebey.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "bsqdrhgojxwikucbb.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "xsuldxamldgwcqcfjhlgi.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "xsuldxamldgwcqcfjhlgi.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "bsqdrhgojxwikucbb.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "kcbpevveappcfqzzav.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe ." JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "kcbpevveappcfqzzav.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "bsqdrhgojxwikucbb.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "kcbpevveappcfqzzav.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "icdtkdfqofhwbozbebey.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "xsuldxamldgwcqcfjhlgi.exe ." JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "voodtlmwtjkycoyzbxz.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukhtgvtauhfqrahf.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "ukhtgvtauhfqrahf.exe ." JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lysblxswnxsay = "bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcbpevveappcfqzzav.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\paszhrkmbjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsuldxamldgwcqcfjhlgi.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voodtlmwtjkycoyzbxz.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pealxliohtqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe ." vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mavfqdzewhdmls = "xsuldxamldgwcqcfjhlgi.exe ." vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icdtkdfqofhwbozbebey.exe" vcqtxds.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukhtgvtauhfqrahf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsqdrhgojxwikucbb.exe" vcqtxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uevbirjkyf = "bsqdrhgojxwikucbb.exe" vcqtxds.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcqtxds.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcqtxds.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 whatismyipaddress.com 23 www.whatismyip.ca 29 www.whatismyip.ca 14 www.showmyipaddress.com 17 whatismyip.everdot.org 18 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File created C:\Windows\SysWOW64\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File opened for modification C:\Windows\SysWOW64\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe File created C:\Windows\SysWOW64\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File created C:\Program Files (x86)\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File opened for modification C:\Program Files (x86)\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe File created C:\Program Files (x86)\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File created C:\Windows\zaifddmejhqmysktdhrsaxv.ewb vcqtxds.exe File opened for modification C:\Windows\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe File created C:\Windows\myrzitnqgpjqnsvpkzugzhqbvyoxryvadx.hco vcqtxds.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcqtxds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcqtxds.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings vcqtxds.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings vcqtxds.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe 4616 vcqtxds.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4696 vcqtxds.exe 4616 vcqtxds.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4616 vcqtxds.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1944 wrote to memory of 4616 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 104 PID 1944 wrote to memory of 4616 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 104 PID 1944 wrote to memory of 4616 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 104 PID 1944 wrote to memory of 4696 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 105 PID 1944 wrote to memory of 4696 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 105 PID 1944 wrote to memory of 4696 1944 JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe 105 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcqtxds.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vcqtxds.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vcqtxds.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b08d498e51aef841f6c272ad42e9a028.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\vcqtxds.exe"C:\Users\Admin\AppData\Local\Temp\vcqtxds.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\vcqtxds.exe"C:\Users\Admin\AppData\Local\Temp\vcqtxds.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:5688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:1444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:5752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:1632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:4196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:5496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:5060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:4820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:4748
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:2256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:5116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:3680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:2584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:5532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:1344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:1384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:5528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe1⤵PID:1880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:3620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:3032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:5684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:5240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:3340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:1856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:3396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:5512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:4264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:4548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:5724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:1836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:3480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:4056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:3508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:1588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:5600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe .1⤵PID:4432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:4604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:5496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe .1⤵PID:4708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:1700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:4068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:4108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:1248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:5484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:5492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:5956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:3028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:3620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:3928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:2668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:4256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:5412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:5344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:1868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:5396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:3100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe .1⤵PID:4520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:6044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:5548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:5552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:3724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:2716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe1⤵PID:1708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:2944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:5388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:4212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:1016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:3884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe .1⤵PID:3560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:2156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:4532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:5732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:2460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:2712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:4288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:3132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe .1⤵PID:2248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:2624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:5100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:4276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:4000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:4540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:4816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe .1⤵PID:6128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:5816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:3552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:3780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:2716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:2004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:4840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:4156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe1⤵PID:4176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:3880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe .1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe1⤵PID:5636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:5276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:1028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:1712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:2916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe .1⤵PID:5520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe .1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe1⤵PID:3096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:4360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:3028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:2952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:2308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe1⤵PID:3308
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:1116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:1324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukhtgvtauhfqrahf.exe1⤵PID:3952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:5468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:5592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icdtkdfqofhwbozbebey.exe1⤵PID:1124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe .1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsqdrhgojxwikucbb.exe .1⤵PID:3732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icdtkdfqofhwbozbebey.exe1⤵PID:4736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:2920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c voodtlmwtjkycoyzbxz.exe .1⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukhtgvtauhfqrahf.exe .1⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe1⤵PID:2948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsqdrhgojxwikucbb.exe .1⤵PID:5876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsuldxamldgwcqcfjhlgi.exe1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:5812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcbpevveappcfqzzav.exe .1⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:3824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe1⤵PID:5916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcbpevveappcfqzzav.exe .1⤵PID:4396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe1⤵PID:3288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsuldxamldgwcqcfjhlgi.exe .1⤵PID:1636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\voodtlmwtjkycoyzbxz.exe .1⤵PID:3560
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD57874a1a7af170ccc796ffed2fd42a9e3
SHA188f06da247fe2fbe8227e97a6e98413430066c9c
SHA256236aebd67be3cd23c0ae2444a97080265fbe624774ec83eaacb959899232ffa5
SHA5120ee80eca10c22bdbb521ea038b6164054ff77a295dab739c10854b3a2a49e06872ed6aacd04ef111eeae71022a1270de83a9f8d546a584bcd6fad7da8c1aac70
-
Filesize
280B
MD58efb6bde9b5b8df1ce03c8dd5d7afe4f
SHA14bf9cf6eb453785e31b30d11b1f3791d325d982f
SHA256d043c20f9f53bf82fa8867742c0037038f479824657ca495afa7174f65c0c8a4
SHA51257439df05adeb4bc759f66c9be7973abe2d2e9e8053f650368aa66bbd76b688a5e00ab47fe102077a624212a92e6e5d7bc31a876ae64930c3d29e3d6d9cf933d
-
Filesize
280B
MD52421d5ca5dc3356bf89178d2ff77100e
SHA1de93fa10c0ef21e81e3db52dad391950e810d933
SHA2566543372712a82721a45aa6ae564586b87818f28db3947428214d6707cf845883
SHA512f05c09c5f9bc24cce627114383fa522eb26da1abe808d39073285a5bbbb03356c817abf0b75eca9a30cbbdfb045e2c7746bad960ecb4d0c1068a192b091c687f
-
Filesize
280B
MD5a1bf25baeb5904dc2188d224b2b959f7
SHA16844041f2b85d76e2da8b8f24e99ae0bc660496c
SHA256ef4b3b44ff1cb5d337b4fd6c70c3a72f2b187914a0f6a29184908bbb7d28cd8c
SHA512590520408973e52e86482c35a704adbc2c6a28098a1e412783656e8fe8077f697f26f748072a6b2a2f15d75d85771608e9e529fe075120247547587561d8b488
-
Filesize
280B
MD5d2597ad953a76469d6557a9708bd2423
SHA1ba8a7b90db325c22fe9507d03a9c227044fe3283
SHA256732bb11f2a645e8f94e63d56b64e659b3d16aff7da240a9973887678893de5b7
SHA5122b34a7bce079711847a62de3ef3d6c7ea4ac79719a4087ca382dce8174871781abc77b9d17693ce5bb780575db334ce2a9043808d2b0228c1c6fada1ccb8da3c
-
Filesize
280B
MD5bea61c38bfa7979e53fd677aef8f7c8a
SHA14dcbe954af3b00f5ec2fd70f8fc839c0d72a5ddd
SHA256e6dc0b4f7f1d7b93347adbbbad54664e764f12ab7dd26c86cb73e48f7f53e06c
SHA5120b52105fb7dceccc3ff9a7b4cf6f9d4dc2abad694ecf95ffb2e2b97b1ebd5bf84cc97a25ecb14a46f4aeebabdc283a5c43634a9853c57c4849cab7e462955809
-
Filesize
720KB
MD501a2a904d402f5b4e604bf16bf06c0f6
SHA18aac8a223064dc6385dbdf037ee25c273d52e10d
SHA256486ed7fb3cdc250cfbdbcd1ec6b41164c2c378f441a53824007fd6e56ae11c0a
SHA51276317a835951d1a9d064a4e0b53fc0928df4415ddb8e93fd9d8578b001dbf208adbaae4ea4a69d0011d7cb461d2a48372aa666a2be9280985d7ca14384714ed8
-
Filesize
4KB
MD56fc24ee2d1a8b8f9fc2bbb8f841addde
SHA103985648cab5f11e24e9c0b7c1431fde5674fdc9
SHA256a941a85fb31eb8b5d8931942fd2877b3131cfda028515ce3f86f3c42e0034e5f
SHA51283f60fafab1e2f68f918466b00460740fcc9e4b41f5e41d69f36886743ec664351980a11d1e341e6347f8991d584a989413530ac3baef68d1f93e47ccf09beda
-
Filesize
280B
MD5280df886c0f2e32828a1ecbb47509894
SHA197292103905ff68dc23dae3289b410ec3c858444
SHA256221b47fe360a400f4e897f86eb9e6c14a19173e44650d6e8ea60953952a7b6f7
SHA5124af1406e6e66fbf1800466492ccc9529685abfa69f7fed4fe811a9f6f62b7940242be495bc73b0e485aea508535d24a021f9f88cf8d96ea7164fe081041a6fa9
-
Filesize
280B
MD5e9e3881bb492144d951a5bd904ff7b26
SHA1d5456713c1e8101e31a7852cdc52bbcd1347c116
SHA2563744f46a78fdba958405b21b5bd7694049fe845579908c06a8b7c301693baa85
SHA512bb75139b59523b889ce66aa703e0fd597e152a4ccb0f4c882bc205e55089ef5b3b9293be3d6e6ea7f73d84f4f0069d492013caebbb9afa3b9d8f24ce3c14e89e