Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2025, 23:27
Behavioral task
behavioral1
Sample
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
-
Size
320KB
-
MD5
bb9948c3da8fee376e600f5467021131
-
SHA1
c8fec923c44f9debbce6862b0ce24f6686d6faf5
-
SHA256
3dfd0e24cf3ccb5898676f46f706ada8a30636bc3383b2406c1cee28aaf319f3
-
SHA512
0351bd5fa851347900fdbe6050c6ccdb2e23b2bb587213b9d08b296fa060adcb4ea81f224877b42426074a6282fb362ce7db3f8d277462f9118fb5bc9f5b340e
-
SSDEEP
6144:5Tw4o1IV3puaibGKFHi0mofhaH05kipz016580bHFMWu86JQPDHDdx/QtqR:BmgvmzFHi0mo5aH0qMzd5807FKPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral2/files/0x001b00000002aebd-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" chisahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chisahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "phvsnhwzkhhyojxmpxld.exe" chisahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" chisahj.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe -
Executes dropped EXE 2 IoCs
pid Process 688 chisahj.exe 3440 chisahj.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys chisahj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc chisahj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager chisahj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys chisahj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc chisahj.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power chisahj.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "exmkgbrvhfgyplaqudsla.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ixiculxxfzwkxpamm.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "phvsnhwzkhhyojxmpxld.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ixiculxxfzwkxpamm.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "phvsnhwzkhhyojxmpxld.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "exmkgbrvhfgyplaqudsla.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe" chisahj.exe Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." chisahj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" chisahj.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chisahj.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" chisahj.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyip.everdot.org 6 www.whatismyip.ca 2 www.whatismyip.ca 2 whatismyipaddress.com 2 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File created C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File opened for modification C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe File created C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File created C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File opened for modification C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe File created C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File created C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde chisahj.exe File opened for modification C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe File created C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu chisahj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chisahj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chisahj.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings chisahj.exe Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings chisahj.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe 3440 chisahj.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 688 chisahj.exe 3440 chisahj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3440 chisahj.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1864 wrote to memory of 688 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 94 PID 1864 wrote to memory of 688 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 94 PID 1864 wrote to memory of 688 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 94 PID 1864 wrote to memory of 3440 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 95 PID 1864 wrote to memory of 3440 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 95 PID 1864 wrote to memory of 3440 1864 JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe 95 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chisahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" chisahj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" chisahj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" chisahj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\chisahj.exe"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\chisahj.exe"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:3392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:3508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:4112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:1352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:1128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:4388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:2304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:1200
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:4820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:2252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:1968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:4468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:4012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:1172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:3944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:4028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:3560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:4844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:3472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:4768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:4112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:2684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:1044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:1764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:1300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:1712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:2440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .1⤵PID:4388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:2060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:1296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:5104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:2332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .1⤵PID:3080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:2752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:2368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:4084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .1⤵PID:788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:3740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:2440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:2388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe1⤵PID:2620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:3984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:1192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:4468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:4212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:2748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:3428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:3156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:2708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe1⤵PID:3012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:1188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:3340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:3508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:2772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:2256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:3652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe1⤵PID:1908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:2060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:4276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:1836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:1996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:1724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:1256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:2372
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:1188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:1948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:4236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:3172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:2940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe1⤵PID:620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:3876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:3700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:3200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .1⤵PID:1076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:4596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:3972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:4604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:1120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:1820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .1⤵PID:1836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:2260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .1⤵PID:4832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:1212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:3080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:1992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:1440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:3312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:5112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe1⤵PID:2932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:4660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:4016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:3592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:3844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:1128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:1456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .1⤵PID:1500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:1712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:1644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:1612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .1⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe1⤵PID:3900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:2204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:4604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:2412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:2652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:3160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:2332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:4832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe1⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:3156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:1728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .1⤵PID:4488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:2408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .1⤵PID:1972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe1⤵PID:4112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:3536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:3836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:3876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:3556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:5084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .1⤵PID:344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .1⤵PID:2488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe1⤵PID:2868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .1⤵PID:4076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:4340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .1⤵PID:1256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe1⤵PID:248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe1⤵PID:4884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .1⤵PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe1⤵PID:960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .1⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe1⤵PID:4452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe1⤵PID:1008
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5231020694e8d5b74a9c24372063484e0
SHA16f2da9d0c02b786bcd58898f50b0ae1d742f6422
SHA256d235e7d71294ac2cd3693c95f24b2e46d2b15023a7fd3793b10a39f78fadb371
SHA5121d74a4d59171da9a342ba7560d80b2723bc6b93e34979fbe0eba4f435ad9921dcb0feaef39fba54f9a07b250fc2abbe01ce63cf8c82e26863668218a5ed9fe0c
-
Filesize
280B
MD518efc8e0057a6de0aacd25e87eb2e1c7
SHA1df3a7fb11888b56ff66d0715c08f07fb96da1b21
SHA256575ca9f832799a7427bc0d5e5ffe17e97a8988392e1e8a9beadb0f9c6d6bdecd
SHA512f21a4b616c4c8fffe0a044e34d414a39b32ae22e305c26f90f05ad8dee11679a5ad30286a84a9e1f47b4b1bff87a312b5e59be6e86d80f9f44cadb3101b9e9e3
-
Filesize
280B
MD5fe6d44f267ba627a096559bff139a53b
SHA1a26f47476b8f73851cf2b0d34e85a300914b24b6
SHA256574436636053582bdce3176235a3e89d6c25f918b1baddcef74f8f842117c89b
SHA512e7192e98b4e458189c0713f87020bf9eb6918809213915d0f4e784e52402704a442d54685cd535ffcecedf94431e285e7a523af910d75ff0ddc1ad247201a659
-
Filesize
280B
MD57792bf374814362fe03704bf85c06112
SHA192f3cf7724da724d94ad045e76b557a4767f1595
SHA256b0eee999e16d56b07eed321e13d98300b0032fe1a4513359d5ac975059748859
SHA512a1dbb12f6fda46614068ca88f20d6e5fef24e50d3396c788480326bc660caa1ecfa619252c7a51d18c6b17987e8e488da56c225a0c623b6e4e2ea4d31677b419
-
Filesize
280B
MD5cad2bb495f935cf5b0264e66ad42cd2e
SHA160a06786410a9911185f2128c9089d852518df3a
SHA2567897e2bd70503c3900793fa804db739f6c06969111679d8385e1b9b4c70f0ae6
SHA512a53f3c1b876970d8a21dbea555b9f353e4f0975ea7e5760d21412f8d57a1d4944350f1174ff0a4974dde2163d2ca31714c3452b8537fd72ff1b2b68da5958464
-
Filesize
280B
MD5aedc286d63ffe535e46ca30a24ccadee
SHA1cae6a5bf6db67fbfd779376a833dca61b754797c
SHA256d58d0238edbc3944122f362cc43ce8f583c5b4dda0dbe40b6a50d58af7a93f13
SHA51243658b63b45f59f4865b61811151434a0dc7938b5a4bacfb0f7cd1695b673992049bb04cbd39aa1b9cfb34c7daf212f51332ee84e2a76677593c1c620e1861e3
-
Filesize
700KB
MD55375f99dad321f22133d833010986f72
SHA152e47c376992d1ac2272ff17bea8ee3570163328
SHA25625cd6168288dc12f89de839ab4c11fa67f6668a32c270e10b274b02c5e000142
SHA51209dc0592ec43afc7968c6af658caf9114fe7933f5a7f3fedb58d7d544ee5f808ea040494a3644628c52ace38d4f8b78f2fe58d7f9241cc56e3be745dd5e3a243
-
Filesize
280B
MD50aedd812ee0828972a85921724ae9b0e
SHA186eef9f14cc51b8af35b06f23c1103e178cd5264
SHA2562da544593936fd0536777d46e3a3eba6717362b57fe6e8bb9c4f4543a9491439
SHA5129e872d5919c09aa5b98a80d5ba4aed0fa1e8d6dd37618dabd5f704c724ebd5f48c68c1f36944ff14d9327fcc53280e4ee9ac1eede0e625691119cc29b98002ab
-
Filesize
280B
MD5c32bc75c2c415ab068f72cb8def2c575
SHA106a95e05813b1799541b06b67b904c8bd0ff81cb
SHA256b0c77a7aa7ba90caf29fb0abe9994c7ca27c3700a269eb6e0788a732d139cc6f
SHA512eebf705d42e25681d99164b6e79e94a9eb84baf6d1605089545546e562596ea0d6f4a5abbf3f7b1795456c872e1fc60fed80d4b2b6358b0f539cc65b10ea01d0
-
Filesize
4KB
MD54d3a94eacfe378a80eca9b507573967e
SHA129bf9775173cf9b9c37c14a9509eedf494a7a49b
SHA256462974ae8baaab79688b4de26f47d464be73f15b6726c7904a3748d90d14f871
SHA512df9a9e075dccfd3c89d9bfc544c6bb8b37e1e99e82be4b64201ae15141a1c48513aa463c179a3eabebf1b5b378484aebbea5119eb822746ddc50de83cb208a16