Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2025, 04:40
Behavioral task
behavioral1
Sample
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
-
Size
716KB
-
MD5
c7ccedb70155d9567bc63477af344089
-
SHA1
3bd2817183d21eda6ef4c5974c763395a981f500
-
SHA256
9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c
-
SHA512
e65e432692b9dff71d9640501320ae1e626a21a0c947450fa8d792cfd7168e32dd73e56fb82e6e72ad7ae1d93a1a0fc68983f67547d3919bde013cd495f279d0
-
SSDEEP
12288:2XgvmzFHi0mo5aH0qMzd5807FDPJQPDHvd:2XgvOHi0mGaH0qSdPFF4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lvsflp.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lvsflp.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lvsflp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe -
Executes dropped EXE 2 IoCs
pid Process 4712 lvsflp.exe 1916 lvsflp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lvsflp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lvsflp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lvsflp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lvsflp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lvsflp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lvsflp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "xryvlzqcujpbvvue.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ljuvphcsohrhfjmacihf.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "ljuvphcsohrhfjmacihf.exe" lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." lvsflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." lvsflp.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "azlnibxolfqhglpehoonz.exe" lvsflp.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lvsflp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lvsflp.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 whatismyip.everdot.org 38 whatismyip.everdot.org 39 www.whatismyip.ca 21 whatismyip.everdot.org 22 whatismyipaddress.com 29 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe File created C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe File opened for modification C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe File created C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe File created C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe File opened for modification C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe File created C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe File opened for modification C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe File created C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd lvsflp.exe File opened for modification C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi lvsflp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvsflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvsflp.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings lvsflp.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings lvsflp.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe 4712 lvsflp.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1916 lvsflp.exe 4712 lvsflp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4712 lvsflp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5264 wrote to memory of 4712 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 105 PID 5264 wrote to memory of 4712 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 105 PID 5264 wrote to memory of 4712 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 105 PID 5264 wrote to memory of 1916 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 106 PID 5264 wrote to memory of 1916 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 106 PID 5264 wrote to memory of 1916 5264 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 106 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lvsflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lvsflp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lvsflp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5264 -
C:\Users\Admin\AppData\Local\Temp\lvsflp.exe"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\lvsflp.exe"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .1⤵PID:2612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:2524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:4648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:3888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:2484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:5080
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:2184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:2024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:5424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:5404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .1⤵PID:860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:2072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:2120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:5532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe1⤵PID:2684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:1912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:5488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:5504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .1⤵PID:3156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .1⤵PID:4272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:1964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:2028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:4348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .1⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:3320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe1⤵PID:2612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .1⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe1⤵PID:1388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:3584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:4764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe1⤵PID:1052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:1356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:4984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:3772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:1072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:3708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:1568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:2440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:5488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:1260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:1720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:5132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:5856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .1⤵PID:928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:4312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:5452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:1960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:4812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:5388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:4232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:4748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:3888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:1068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:4792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe1⤵PID:2232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:3272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:3580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe1⤵PID:5164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:3164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .1⤵PID:728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe1⤵PID:516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:3928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:4084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:1596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:5572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:2188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe1⤵PID:5348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:4920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:6076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:1436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:4436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:3440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:3312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:2636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:6020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:4512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:4800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:4988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:3396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:4652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:3932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:4092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:5968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:3272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:3164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .1⤵PID:4696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:5220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe1⤵PID:3004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:5840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:6032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:3500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:5436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe1⤵PID:5900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:3304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe1⤵PID:668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:4892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:4044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:1564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:1544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe1⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:1960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:5960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe1⤵PID:1436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:1820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:4812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:3292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:5388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .1⤵PID:6040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:4280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe1⤵PID:916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .1⤵PID:64
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:5672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .1⤵PID:4876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:4764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:3412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe1⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .1⤵PID:4652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .1⤵PID:1076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .1⤵PID:512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe1⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:3404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe1⤵PID:6000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .1⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:3784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:2604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:1468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe1⤵PID:4680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .1⤵PID:1256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:4084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .1⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe1⤵PID:3848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe1⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .1⤵PID:3124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe1⤵PID:5876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:1588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .1⤵PID:1496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .1⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe1⤵PID:5756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe1⤵PID:1960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .1⤵PID:3640
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c73184efdd6761c599047960780699de
SHA17877644417944a2a80ef492dca6462cb71cfc077
SHA256aa84c84a51d0d428ad5b05ef047b3f3e26ed512e8d88409771c83c2360405f2c
SHA512cb43aafa171f4f5063946756c854d19e708a2597b2326e05998f2c5e944628fd3d44ff72fcf050601e8305658cd0a66e0c7a1fd41f4a4fd18250f43cfe686726
-
Filesize
280B
MD5d7672171349832756788ef8aca70761e
SHA195b03fbb4f521f52c3d6f6dfd4c9b4c2073f1228
SHA256ae1790c5f40b3d1d93ce34a33b46449ab366c9ee539d3bd80c83b15edebf6dbe
SHA512d6260c0a707c78e7c56441740f5b3294b1e6a7206407d9aaa9e370b34fcb211f3c367807c0d25c3684c01c4be4cb03db19ea1df05778facb274391eba8bc21e6
-
Filesize
280B
MD58ed5513aac211c7f83a65e449e0b9d74
SHA1b3e1cb63b5d0eee9642de7e29ae777a76d830661
SHA25689c72e5eeab48bbc1fcf28c2e0c9648c1fff83732b0b98c2622a318d29933d2e
SHA512db29d7492d33095810c26793e48c7a7b28d6f431c39fe16e63e1e6c7466fee129763c70c0374404bbea39afb6c9517476bf05bef2c264c9fc7ebe5649ca4448c
-
Filesize
280B
MD5f992badab473f64912df18611911bbf8
SHA19111da03a6a39320bab011beef4c0cbd7e423c9a
SHA256900afc76550351fa2ce7aad2e3d2c4a7eaff947868e261f77b6dfd44868c5f52
SHA51237b3e82dea53f7b6ae568d79fb642dbb4c05745afe22ac030410df94e285f7d4b84e23925535de99abe884e791bc4ca340f734b00b635ac9bb14377f54aa13e1
-
Filesize
280B
MD53d3f16903ffec420d9bdd9f041bfa145
SHA1cd249700b07118050ae2afbc506e0205df653eb9
SHA2563c2860796cfd3eab909a52c6b751c1bfdf556aa9901af9668f0ae6c2b11ff5d0
SHA512caaffd639dfba0c0a33a38531b348201a4f7f57c90615c5d24d56efd0cfd8ed10d97ac8f2ae7a74caf575052806d54289a166bb6499cc5431e8b13c861da7430
-
Filesize
1.3MB
MD55c4f3910f73c61d89053631ee72567cb
SHA1819e2360594bc5406b6f8f4f6c05d6ad4066a4ad
SHA256d8d15b5b34281b16aa69450c7ea342784b6991a1946e95879bcb1d6f917ac7f3
SHA5123e540fa8eb2c9b9d0e5eb8ace010ec42de9ffa1f43c48c0fc059bbd6896c9974d16cb80355ad5c3c7626a2962d2415987839ae7bc597562c0def9af5e822bff3
-
Filesize
280B
MD5d8251feda9c020a5ca51dc06d8e4bd1f
SHA12182d5c73de032d6a2e7c22888769f04356b6e0a
SHA256f0c9218bf1da221947f089b8e6e22b75ef27b08e5b1cbbb6f3ebcbc25eb1cc15
SHA5127fd163a320a50473d045e4fb4cd401222e203b8a2d4582c11116662325a667f872dd3b8d4bea6fa4cd7fae523f582ee0efdaeec3af163b84376e10c5910e2030
-
Filesize
280B
MD5f58fbbebd26bc046cd570ac315ef5a82
SHA15441ab573c80aeadd8ce05eccf9f5b055275cf8d
SHA2561de3919b19e2671c812e006e3d1163ed4bcd4bb2afeff95939ecc2c153bb436b
SHA51267bf38261e6b9e91bd13781ed84273be417961a50210bfc65c231569bfe3e5429f39e7c175cb30459bce80692ff7de9670e9688c46d153bdb753c718856ac6fe
-
Filesize
280B
MD56f06cf158b651693ab708e360a35c7fd
SHA1a171dfbd5f9e9311ec6fc0d7b3775565476952d5
SHA256322daf6fba63384b9ab288ad8848c0a20d64056545751642929dd310a02d9f51
SHA512c139c2ed3018a42b042cb2c04db6fac26c7443b08a21a9e28671b9fcc5054f56c006a2c20e5c9f5391bfe42c0470e262f2caa019690224b823193a3a04ec61e5
-
Filesize
4KB
MD586796864b2f45f3a44a1e47bc199a855
SHA13722e91f5539dbaaca208f916160bfa5e9d553f2
SHA25698da304233c4800b8a444dacbb7833e08bb2a49491243570a01247905040d4e4
SHA512bf40c12b96f1d9fe9d37023299dfed45da0af0343d69c60eb8a67990cc9a1e3210ef8b3ab0554c6f9f5d75f896bce7ccadc43bcb6674f17ef0fa4c156fec62a8