Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2025, 23:27
Behavioral task
behavioral1
Sample
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
-
Size
320KB
-
MD5
bb9948c3da8fee376e600f5467021131
-
SHA1
c8fec923c44f9debbce6862b0ce24f6686d6faf5
-
SHA256
3dfd0e24cf3ccb5898676f46f706ada8a30636bc3383b2406c1cee28aaf319f3
-
SHA512
0351bd5fa851347900fdbe6050c6ccdb2e23b2bb587213b9d08b296fa060adcb4ea81f224877b42426074a6282fb362ce7db3f8d277462f9118fb5bc9f5b340e
-
SSDEEP
6144:5Tw4o1IV3puaibGKFHi0mofhaH05kipz016580bHFMWu86JQPDHDdx/QtqR:BmgvmzFHi0mo5aH0qMzd5807FKPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bhmwdgn.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral1/files/0x000b0000000227b6-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" bhmwdgn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe -
Executes dropped EXE 2 IoCs
pid Process 2348 bhmwdgn.exe 3060 bhmwdgn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bhmwdgn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bhmwdgn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bhmwdgn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bhmwdgn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bhmwdgn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bhmwdgn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "qhxskyqexpubfujttb.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "dxqojavmidlvcumzcnrle.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "apdwmyoarhkprerz.exe" bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" bhmwdgn.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." bhmwdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" bhmwdgn.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bhmwdgn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bhmwdgn.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyip.everdot.org 16 whatismyipaddress.com 24 www.showmyipaddress.com 27 whatismyip.everdot.org 30 www.whatismyip.ca 32 www.whatismyip.ca 33 whatismyip.everdot.org 34 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe File created C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe File opened for modification C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe File created C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe File created C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe File opened for modification C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe File created C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe File created C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo bhmwdgn.exe File opened for modification C:\Windows\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe File created C:\Windows\ijjoqoqortiznmlfphsttyay.ybd bhmwdgn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhmwdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhmwdgn.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings bhmwdgn.exe Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings bhmwdgn.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe 2348 bhmwdgn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3060 bhmwdgn.exe 2348 bhmwdgn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 bhmwdgn.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4224 wrote to memory of 2348 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 106 PID 4224 wrote to memory of 2348 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 106 PID 4224 wrote to memory of 2348 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 106 PID 4224 wrote to memory of 3060 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 107 PID 4224 wrote to memory of 3060 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 107 PID 4224 wrote to memory of 3060 4224 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 107 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bhmwdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bhmwdgn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:3244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:3980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:4328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:2996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe1⤵PID:1468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:4116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:788
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:1124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:2628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:2304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:1840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:4448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:1588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:4840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:4628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:2724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:1524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:3956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:2204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:1372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:2628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:4668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:2940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:1712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:1584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:2284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:2064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:4984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:4172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:3208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:2724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .1⤵PID:1752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:4840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:4136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:4100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:2448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:3472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .1⤵PID:904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe1⤵PID:1212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:4632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .1⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:1708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:1500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:3188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:2592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:1804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:4628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:3420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:3312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:4960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe1⤵PID:4440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:2516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:3732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:2272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .1⤵PID:2164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:4972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .1⤵PID:4652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:4212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .1⤵PID:4120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:1780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:3168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:2520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:3200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:3328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:4188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:4412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:2928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .1⤵PID:1460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:1920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:2008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:4336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:3712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:2876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:1392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:1060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:4792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:1080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:1524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:1212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:1568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe1⤵PID:1140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:2948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:2928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:1460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .1⤵PID:3524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:3344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:1240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:2164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:4972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:1444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:1324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe1⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .1⤵PID:2876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .1⤵PID:2756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .1⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe1⤵PID:3692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:4092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe1⤵PID:2188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .1⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .1⤵PID:388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .1⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe1⤵PID:712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe1⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:1500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .1⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe1⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .1⤵PID:3644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:4108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe1⤵PID:3312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .1⤵PID:224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:1540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe1⤵PID:3808
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe1⤵PID:3556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .1⤵PID:232
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5eaf188a456ac8f499da27cbfbf0c079b
SHA1e40057df3c94b111b0412c3e9ba834fcaeb0519d
SHA2569104fc45c925c08fb8e026462f35ef382982f0d9ae0b2c33278b942b79c605ea
SHA51259b5686cfcece8bcf3b018a9ac7f0593912b2e7872d919a60c7287681d10f1b6b083a74e24c119b75c565d1b15e7f68d3defcaa58d704d6905d5f55c09f7960e
-
Filesize
280B
MD5d13578ca686f18869dcc9ae23bdb2eb0
SHA124e7eef84f3d6f2d08755be9a161b40f82598e34
SHA256ddecf8b8ae8afe734fb15d10cb9e3e5bf05eb7e772482fe786d35add3577992a
SHA512b7a20048cba61da1909afa4048cc84a521dffa23c22250725b0fcaf612716591375766e9f45b913da3515089b40341c16a5302f9dca2bb09f4c5fce914f373c2
-
Filesize
280B
MD553c189665d9d4e179e0080edbdd8dc6a
SHA1e4edecc8b7307df6a578d8eac6e5ebd9e3cd875a
SHA2566cbd41b2e0ffd2f222f1f7457d25aa363f9f0334d84f32ef2ba5f793b9da26c0
SHA51255363197ff9eafffbab8192e9b4b2561ce7aa6e8730f67abd43a3b66560d4961cd355c096e9201a605311b4b514db9cd2a4b37d2f666940937c19a06628f8876
-
Filesize
280B
MD5ee67440fbefe7baa0b007e26085728bc
SHA1fe70088bf1c7592f320c40c5f99632c22d1dac84
SHA25664d727b49b432373948d308949cbaeb47aa9594dd753000b1e181a07b638fc39
SHA512aef20123a8d21df0c08279c846e8c22b64aa6660093db5e0e8c2520304b77d0137ff0278db4f2d7763e57844310b8230e5508d7752988ebe973248830594c32f
-
Filesize
280B
MD589570a2049bbc47472ad26507994542f
SHA1690d18ec2edb1556fe83ba68e554c937fb0b394e
SHA25618f87434fc9c94576e7219a93a5db64c4f4b4d3d9ef611008707d37fa0d5660a
SHA51265f374eceec0a8e7834e1070f52356744a2307f480180e0b75234cd87a13da88329a5ade19207ed917bce17ad06840a561a5c07eaa015e66ec20c81f865fe142
-
Filesize
280B
MD5b017e09806f53cff88c5470908c03ddb
SHA1a515f3a6c7bec54ae2fa7ceba2285d65b15d89f2
SHA2564d780e5ec70ae37cd2223e3b3cf349e68c515cb835f7230e771fdc2d517668a8
SHA512f564c7e1d0bceb97e8e74b9455e2c48c5e710d0967a85b1ad4b652f0daf5b459f4e644a1ec59a5ff25de3406a99e936bebd68bb949780ae8f02e5d8711897e93
-
Filesize
280B
MD5eb20b08d429394b8dee3fb2fd55619cc
SHA15b60b332b3320786b4747e6243022c62df3b7a20
SHA256be7bf61e8e085619d8f257cdbd47bef4f0f45b2b3abb8d8ffd596ef393bd0984
SHA512eecc16152fdd01f0946ec0e65a3fc102e408827c4ed75677004b9f6179aacbf55669d64ba755747490909d72634528117f00f45b88a99a0bf24cb3f37e467130
-
Filesize
692KB
MD5247486bad7958d56f37b84b4dc227422
SHA1a387fc6e07fdb89a502fc207c9a1e49aef440c93
SHA256d651a584e4b6c42fe5af4aa2f2b722f875055dae06875443deaa41c32ebb9347
SHA51251e17f08ff6e2c58c936734666e9bbea1ded165cfef6650a3017d7d2610f9bc76639abef3e2693c8f26acceb5d81d9db53f7665746efac7fa47768511001f591
-
Filesize
280B
MD591892b0c507d26880390d6c8b4f2a4af
SHA137e0a70c64c55d654be5b8233b90f37656d267b4
SHA2567e51e0b492f9dac5c6fbc3a47908ea58fc9584d2b83b7454e197a440e2d44422
SHA512989862b3f448acea8b413a35b7ccc57ac0a89d8682e7b50857dd340def2971024328fc8778f0b2a5341beb2915e1db21d8627a0131c36a56695ed3f60c943887
-
Filesize
4KB
MD543ded261096313e8be45833c76ce4a6b
SHA1d0349d4e8556f535d83838495f2d3acdb8ccf097
SHA256ae21313db1c76356500daf0fa118523e99a0ca84453ae59192e52b10b8e8eded
SHA512098b7b6cba65f7e62f41da5ade8844d4e499290ba39c2597f3ee330dca800b5bf7b2b8bdb42141b8214131b0b63bdc548608fd22a968f0317953cb0562ec9a2c