Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2025, 01:43
Behavioral task
behavioral1
Sample
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
-
Size
712KB
-
MD5
c0b20d90d346511b654c08a7a94a9dbc
-
SHA1
556bbde3f4ee371edacccf0a064f5e7c52404d91
-
SHA256
1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd
-
SHA512
2e540f8e990699373507d7667637464fa1e21c3cbde63d42a8531e64983104371b521e208765dc24a50ea4d7d423ed4b334c2a5feece235ef8c123a0bd46e63f
-
SSDEEP
6144:u1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTD86JQPDHDdx/Qtqa:7OkiCpat4FU6JXKqFZgDPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ydqucko.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" ydqucko.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe -
Executes dropped EXE 2 IoCs
pid Process 2924 ydqucko.exe 1048 ydqucko.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ydqucko.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ydqucko.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ydqucko.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ydqucko.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ydqucko.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ydqucko.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ndbqjcrlarpcfqzzav.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "lddupkbxohhwbozbebhz.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "etqewocvjzwikucbb.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ypoeysidtlkycoyzbxc.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "ndbqjcrlarpcfqzzav.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "etqewocvjzwikucbb.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ndbqjcrlarpcfqzzav.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ndbqjcrlarpcfqzzav.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "ypoeysidtlkycoyzbxc.exe ." ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "etqewocvjzwikucbb.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "etqewocvjzwikucbb.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." ydqucko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "atumiewtlfgwcqcfjhohi.exe" ydqucko.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "lddupkbxohhwbozbebhz.exe ." ydqucko.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ydqucko.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ydqucko.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ydqucko.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 www.showmyipaddress.com 30 www.whatismyip.ca 38 whatismyip.everdot.org 40 www.whatismyip.ca 47 whatismyip.everdot.org 54 www.whatismyip.ca 55 whatismyip.everdot.org 33 whatismyipaddress.com 49 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File created C:\Windows\SysWOW64\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File opened for modification C:\Windows\SysWOW64\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe File created C:\Windows\SysWOW64\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File created C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File opened for modification C:\Program Files (x86)\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe File created C:\Program Files (x86)\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File created C:\Windows\bzfcdebdazfalevdmpbzfc.ebd ydqucko.exe File opened for modification C:\Windows\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe File created C:\Windows\sbsamygtblcieikdxliriqcowjrbsyuya.nby ydqucko.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ydqucko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ydqucko.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings ydqucko.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings ydqucko.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe 2924 ydqucko.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1048 ydqucko.exe 2924 ydqucko.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2924 ydqucko.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5380 wrote to memory of 2924 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 104 PID 5380 wrote to memory of 2924 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 104 PID 5380 wrote to memory of 2924 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 104 PID 5380 wrote to memory of 1048 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 105 PID 5380 wrote to memory of 1048 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 105 PID 5380 wrote to memory of 1048 5380 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 105 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ydqucko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ydqucko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ydqucko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ydqucko.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ydqucko.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5380 -
C:\Users\Admin\AppData\Local\Temp\ydqucko.exe"C:\Users\Admin\AppData\Local\Temp\ydqucko.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\ydqucko.exe"C:\Users\Admin\AppData\Local\Temp\ydqucko.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:5192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:5708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:2448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:1936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:4680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:4080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:5116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:2248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:2276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:2112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:1360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:1632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:6084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:4528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe1⤵PID:1056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe1⤵PID:1060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:5420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:3128
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:2368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:2724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:5136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:5744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:2508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:3384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:4016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:5464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:4736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:1436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .1⤵PID:4916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:4816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:5352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:4284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:1156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:5560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .1⤵PID:6036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:5592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:2060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:4380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:2532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:1072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:4252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:4108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:3900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:3180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .1⤵PID:4392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:1156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe1⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .1⤵PID:3356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:3668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .1⤵PID:3724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:2408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:2172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:2200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:1924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:5240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:3912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:4428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:5232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .1⤵PID:2988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:2416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:1400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:2272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:2128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe1⤵PID:2948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:5964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:5004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:5672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .1⤵PID:4680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:4816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:4740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:3800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:5248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:1340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:5720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .1⤵PID:2680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:2456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:2200
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .1⤵PID:2340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:1060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:5864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:64
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:1148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:1892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:1540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .1⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe1⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:1812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:2288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:1180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:3804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:5196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:1452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:5672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe1⤵PID:5364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:2260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:1936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:5016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:5472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:3956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:5996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:3360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:3800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:4008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:4412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:4188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:2336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:5224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:5084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:6076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:4704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:5876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe1⤵PID:1272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:5552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:1148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:3124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .1⤵PID:5664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:5896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:6032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:5708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe1⤵PID:2216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:5404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .1⤵PID:5188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:5616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:3964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .1⤵PID:1156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:6036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe1⤵PID:5996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .1⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .1⤵PID:3588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe1⤵PID:2360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe1⤵PID:4480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .1⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:1460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe1⤵PID:4220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .1⤵PID:736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .1⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe1⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe1⤵PID:552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:5136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe1⤵PID:544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe1⤵PID:6008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .1⤵PID:5232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .1⤵PID:5432
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5eda2da70e8d8d8b16dedee6f62c43b96
SHA1599c1e608d8bc636d716d1b87cadc1552bad95de
SHA256c9c98384da218acb625a7f907077b0127cc8a9581518df5741d2971f6cdaed9b
SHA51246763c7de62c0c04acbd711b6fced0b3fda615ad5a165c6952e6c4d99ccb077d661f2b688d51bb4083176ee59cd281e9849971c5d5725fdf4e1ff866e38f71f3
-
Filesize
272B
MD5378623d0ba4fd558ff45c92237a34b7b
SHA1e589ee77ba9fb68c5aa5d0db3b0f5891bd2fc27f
SHA256b634a8c4bdb1cbd0dfa9c7282f6190037246e8e6199ad50cb824eecb11dfacd0
SHA512df939f620c44814487481f8cd1b3d63ca522b7374a21f8c9b6067b380c6200eb020f10387210cd3451d41183e5d72b8740b4059a522fc6944716609af286e20e
-
Filesize
272B
MD5341935bb603ff4ce270a12ca29ee89de
SHA1afb15050a7d6e2f71c7f80b67153b319d3521a07
SHA256a087e557a2c4bc03e421b107546a204adc8afa52f6b35c35501c6ac10cfb3208
SHA512ed7d67c2003673213604d3e369ad0b148685374388eb40f21cfd658559795734bedfab341ab5e8abf9283e8daa491c9ed92e4b83f4c97baad1c64010760fecda
-
Filesize
272B
MD5d510431ef1464949c8e0ab65d84ab567
SHA1b3186f9b1fbd06a4f6d692fcc5ea73ad140bdce3
SHA256ddfd39c530a34b88140df793f67f035308306ac7c86ab111a73a04f2bd04034c
SHA512c5e32a43aa03615bb4e205b5a7de872db7466ec1ddcacdea845307fa15d144c610c43c69f7c4265811850fabd655f1fe489fdbe2ebe08c38e4c16affd3499d45
-
Filesize
272B
MD5a97255467e87f5f9b505923706965cbf
SHA19c5560f59b99243e488b2898e2ef932cd019af95
SHA256c1bdaeca0a119aa353414a93f7c855cb4782b68d0bfedb66d4131f617534704f
SHA512e2c063149554879432f98319291f248dae780176612e50d5455c6bcb6d326ada4cb6a1ce0733ffdd774ccaaf49a8af2e41799e483d90c9fe644a679f91be9924
-
Filesize
272B
MD56c095cbe6a2a5b8b3e8d125f1bf8a8a3
SHA1e71c2d3f1da28950de4b8b80c5e400c88fc94a96
SHA2565f8c3b9d8f2a50d74bc24965974f7269d006b6ff783b0ab5ac153824a33aeee9
SHA512dd286f26c0e7882ad1e4554913f8f9a5fe80bc23356e55f37decfcc105ef85e8815403b9a87cd6a864bc04e1fbf873874a690ec929a99be3595191f1bcb8b55c
-
Filesize
272B
MD5c3944a427cd240d06f17d9f62c6169ee
SHA1d247e309889fd7a96e6b6a1ca3d0f341affb5b19
SHA256ba19de70f61798373c3d69a002aa10fe4ab6681c5ddfc41cbb812b6af467b566
SHA512c0e8c786b8683b0a198a98724d6ba0cb6d8050a91f968bc4589790e830aa9099c2c82b938e060dd7bd6108264c7d73878532782e60645c46d4df800f213d9e6f
-
Filesize
1.2MB
MD597a292f9f8ab884148ca535660707d9b
SHA1b97f8c7661613a2aad65490a008f95b68fc49217
SHA2564fdbe250a3d787e852ce69cc196fb3107b4c7226d57053fdea841a8ab9fa39c8
SHA5122522133031bd1529b36e9ea63e8876c2366c4b81fc3b7f8286d200b9d89d9a03915f13ab24bb6704f15fe6c5825e273538c8ec0b4b64acba75c6ae14faeddc0e
-
Filesize
272B
MD5ab7a5bddba1a1194e7240f2e054b28d0
SHA1543cf651f1522b34cbd41fbf23fc26be115a994d
SHA25623d64e2aee729286c1d082e77a389a476bc7464b3e4b94ed651c3fbc689b4bac
SHA5127fa9c7b7822495e5326dae7d7e0c7124b39e257c497c37801604e5b42bcc501312e449af3bff1d11a66a6b0c9bf41b1f6e9d689851b024f506bfaa6a44d555e8
-
Filesize
3KB
MD560bbedf213d2c8125fca5a9f916d2fa9
SHA1023cb9ce7b9ed7f42f87118fdfdcc482d6d05dde
SHA256693c6100869c0b29a8883835a0f60dced8dea1d6a6a509178fd4306c585b9195
SHA5125524efe361e595f4e62fdac06823e4b87c279598a0f94396a90c27140a784b478d48c9c5df3adc263941c28ef98fb50e7e31d2e8fb9c85b37cfa423799ca0ebd