Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2025, 01:43
Behavioral task
behavioral1
Sample
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe
-
Size
712KB
-
MD5
c0b20d90d346511b654c08a7a94a9dbc
-
SHA1
556bbde3f4ee371edacccf0a064f5e7c52404d91
-
SHA256
1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd
-
SHA512
2e540f8e990699373507d7667637464fa1e21c3cbde63d42a8531e64983104371b521e208765dc24a50ea4d7d423ed4b334c2a5feece235ef8c123a0bd46e63f
-
SSDEEP
6144:u1Qv8rK3FQp4LGCr9a9n4FRm6RGMXKqCQFHgTD86JQPDHDdx/Qtqa:7OkiCpat4FU6JXKqFZgDPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gvzdgq.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvzdgq.exe -
Adds policy Run key to start application 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "zzodrmyulzvfmdhvq.exe" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "tvmdtqecvljvexdtqpx.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "ijzpeankcrozhzetpn.exe" gvzdgq.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe -
Executes dropped EXE 2 IoCs
pid Process 5332 gvzdgq.exe 4312 gvzdgq.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power gvzdgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys gvzdgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc gvzdgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager gvzdgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys gvzdgq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc gvzdgq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "srftgalgwjentjmz.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "tvmdtqecvljvexdtqpx.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "zzodrmyulzvfmdhvq.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "ijzpeankcrozhzetpn.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "srftgalgwjentjmz.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "gjbtkixwqhgtdxevttcf.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "vzsldcssnfftezhzyzjng.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "vzsldcssnfftezhzyzjng.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "ijzpeankcrozhzetpn.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "ijzpeankcrozhzetpn.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "zzodrmyulzvfmdhvq.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" gvzdgq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "vzsldcssnfftezhzyzjng.exe ." gvzdgq.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gvzdgq.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gvzdgq.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyipaddress.com 2 www.whatismyip.ca 2 whatismyip.everdot.org 2 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe File created C:\Windows\SysWOW64\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe File opened for modification C:\Windows\SysWOW64\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe File created C:\Windows\SysWOW64\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe File created C:\Program Files (x86)\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe File opened for modification C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe File created C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe File created C:\Windows\wfdbycxcczexnnaxbhwfdb.cxc gvzdgq.exe File opened for modification C:\Windows\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe File created C:\Windows\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt gvzdgq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvzdgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvzdgq.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings gvzdgq.exe Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings gvzdgq.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe 5332 gvzdgq.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4312 gvzdgq.exe 5332 gvzdgq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5332 gvzdgq.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4092 wrote to memory of 5332 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 100 PID 4092 wrote to memory of 5332 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 100 PID 4092 wrote to memory of 5332 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 100 PID 4092 wrote to memory of 4312 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 101 PID 4092 wrote to memory of 4312 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 101 PID 4092 wrote to memory of 4312 4092 JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe 101 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gvzdgq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gvzdgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gvzdgq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe"C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5332
-
-
C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe"C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:4568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:5016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:2932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:4740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:5924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:2576
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:6084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:2728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:1180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:1536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:1892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:2940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:4420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:5784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:1052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:1852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:3288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:1252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:5828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:3976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:5628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:2120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:5476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:5872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:5524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:2064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:5220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:5772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:4900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:3304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .1⤵PID:4336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:4584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:5416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:2896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:2160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:5488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:5080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:5936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:3136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .1⤵PID:3344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:2576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:1256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:2404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .1⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:1988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:4692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:5452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:2320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:5408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:3576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:5604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:1852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:2960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .1⤵PID:852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:1176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:5820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:5376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:5204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:4968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:5224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:2448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:1768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:4900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:4436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:3352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:3692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe1⤵PID:4452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:2844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:2304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:5980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:1112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:5684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:3740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:4960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:4032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:4500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe1⤵PID:1384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:2960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:2712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe1⤵PID:5920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:5472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:4784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:5548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:5228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:2532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:4584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:1724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:4472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .1⤵PID:3928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:1780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:3468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:6040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:3840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe1⤵PID:1164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .1⤵PID:5884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:5936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:2844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:1412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:1332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:1112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:2552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:1912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:1256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe1⤵PID:1996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe1⤵PID:4960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .1⤵PID:4928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .1⤵PID:4032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:2620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe1⤵PID:1852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:3076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:3096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe1⤵PID:3240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .1⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .1⤵PID:3196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:5696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:3048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:4640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:6072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:4524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:5440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .1⤵PID:5204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe1⤵PID:6064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe1⤵PID:3116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .1⤵PID:3340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:5156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe1⤵PID:4328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .1⤵PID:5792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe1⤵PID:1680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe1⤵PID:5304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .1⤵PID:5416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:3148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:6008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe1⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:3680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .1⤵PID:3600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe1⤵PID:3336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .1⤵PID:5928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe1⤵PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .1⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe1⤵PID:5660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .1⤵PID:392
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5e3591b3fb824103704e75bfe202ef611
SHA1bf937491e58fd838ca22c428fbd6c4e2748d0a33
SHA2565d34b59050af5b6fd23a635967062f2306ebeb6428a39fe696e26ab011eac5a1
SHA5125120964da57fa10b6391e8b2ca64dd9e438ec4b4b4c0b75414aafee4c1ab027cde8054ac158467c99201e8f2198ecdf4b14d0796960de9362a58cf06ff206882
-
Filesize
272B
MD53014fd37f6ea84b5c3279a04f8fc10a5
SHA1d1ec94a89a904740aefadb6c2a602c043be55f5a
SHA2565b641be4d4bb95b3b07edff82644a3025e18bf67421e5c98b546cdd8bc0fe923
SHA512a8f1446d95add390632ef4c5469c86229db11f3f13b7b89a0d538ecdc4a15d7bdc9b03e9f16ef290701da3d469cda62fb0372def4bdd43866349667d16c7bf7f
-
Filesize
272B
MD55e05600cc42163f742cd62a45fd1f4d5
SHA1aecb9f870d45b432912d8ee872874d3b3185cd80
SHA256edd0f863665f904f4287f8cab4fec204c1229f06de7e3d5e6994202b7658db96
SHA51256c769797d320370f265a8afe72d7cb298f626f76f595278bb14e510ce87f5012a86fdfa3ff8d60a31441f1860b347fa1318e32e655b986e98459cf7614e2b49
-
Filesize
272B
MD58f7f8c0934064d12dfc96bbe526a46e5
SHA13e8eb3e1301280a8451f163024f81ae00f9f82c0
SHA25682b6fa3c83c521580a42105d964eb9ef904903956474abda7a5cb9e61fa83ae4
SHA5129908a9be2daadbd91608e1b956a165fb602e4f1df067288a9a52886ed7da748b2100d8c262ec2a5a0c36b1687f575cb78647baa583d9f466fa18d2d210ede663
-
Filesize
1.3MB
MD51ca589c6c91403015ecfb93a13ad3480
SHA17f573677d5228d3accb0b8c365d685c049456bb6
SHA256ad7a64eadd76e4a6f77a9c25f82e009b7b332321764adb809df6f9798818f4c7
SHA5128eb67f23affb419c06e96529ff06774238ae4249c960b08dcd8bab3490a7913168daac58fc0ae6e23acec979460445d75dd7dd2dbef2f9882d81793c26cdf460
-
Filesize
3KB
MD58745ea2476e114d3bb643a0bb8d9a6d9
SHA115e018ff78dc7ac90913fc99d4089696c07f95c6
SHA256e2a7feda5d03482c82059d29d6dbdb2a0908f199d23e7f09e9f099d693dc5bd4
SHA512c02193214407125b4992b0016b57d19d1e4f30baff3fdfd16a6094dd564970d874992e0a4f61d3e7fe37d0ce4c9d7dfa15f721030c266a219e32181c42864067
-
Filesize
272B
MD586bbb18040bc8efde0d6cd0bb5372145
SHA180251cff2ebb66e0bea136e924aa0ea6e5963627
SHA2566cebffa452cc3676b237999d0ab4906e005186492a96c1563fc679a60f01c1c1
SHA51220d958440ade18da3778f54891202cb433a212af50324cf490d891af22fbe047f833d75f1507cb4d5f3d55b318082b472e70c47d8a8745b0b2cf52d177ddfcac
-
Filesize
272B
MD5f817c1522ca58fdc6336b0270dee6599
SHA19f769d4c16a95cff30f76fbebd456077c94e704f
SHA25668fec1bfd73fae27fcdaa70669549f67db7c3acf925c95a3d2ccd65a5bb90247
SHA512340cd98c62ea1eab6729fa2bd1ec6cc983024590679536028e6b251f221c66ac3fa5a7868f005c58e876426c4e6154d19e3d09228a80fd552b0548aaf5666b96
-
Filesize
272B
MD5ff3d377770f67ba349d4f55a81d810b6
SHA16c66c4cb700079d2ec4d329f00e8d9648852aaf3
SHA256d9dcfc6f9485f55cab5b45a3ab9a0e074dadd6d7d61a10543746567e508da63d
SHA5123adfd308f45883d702aad698b394160dd6ea0f18f417351e98c5eb82531942d58e5a8c9a50bd1ac2eccc18b83b17680d24b3e93ef97c4996f18aaf97ec4bd57e
-
Filesize
272B
MD5de26d537a075a38b0f223ee7e64eb31c
SHA115fd6b614fa2a11f7fc0563df54fdceddc8c71a5
SHA2560d50003d4a8090280638a681423a6935eb5373594e284a3ee0176e3628930ffb
SHA512bad1a666348c85c9316493b28e38433f54142b3251cf45b2c3f3ffd9ed5577bee2f92df33ec1440ca2607b9c8d67b3944f0c72c1569bfd9852742c1e131ccbd7