Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 04:40
Behavioral task
behavioral1
Sample
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
-
Size
716KB
-
MD5
c7ccedb70155d9567bc63477af344089
-
SHA1
3bd2817183d21eda6ef4c5974c763395a981f500
-
SHA256
9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c
-
SHA512
e65e432692b9dff71d9640501320ae1e626a21a0c947450fa8d792cfd7168e32dd73e56fb82e6e72ad7ae1d93a1a0fc68983f67547d3919bde013cd495f279d0
-
SSDEEP
12288:2XgvmzFHi0mo5aH0qMzd5807FDPJQPDHvd:2XgvOHi0mGaH0qSdPFF4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" bajrzio.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe -
Executes dropped EXE 2 IoCs
pid Process 3328 bajrzio.exe 4448 bajrzio.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bajrzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bajrzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bajrzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bajrzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bajrzio.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bajrzio.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "aiariaphvjgwwmht.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "bmhbvqidullehaynywf.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "aiariaphvjgwwmht.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "oawrmibxphicgazpbakw.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "qaungarlbrqikcznxu.exe ." bajrzio.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" bajrzio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" bajrzio.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bajrzio.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyipaddress.com 2 www.showmyipaddress.com 2 whatismyip.everdot.org 2 www.whatismyip.ca 4 www.whatismyip.ca 4 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File created C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File opened for modification C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe File created C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File created C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File opened for modification C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe File created C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe File opened for modification C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File created C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj bajrzio.exe File opened for modification C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme bajrzio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bajrzio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bajrzio.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings bajrzio.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings bajrzio.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe 3328 bajrzio.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4448 bajrzio.exe 3328 bajrzio.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3328 bajrzio.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3328 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 94 PID 2412 wrote to memory of 3328 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 94 PID 2412 wrote to memory of 3328 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 94 PID 2412 wrote to memory of 4448 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 95 PID 2412 wrote to memory of 4448 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 95 PID 2412 wrote to memory of 4448 2412 JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe 95 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bajrzio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bajrzio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\bajrzio.exe"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\bajrzio.exe"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:4040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe1⤵PID:4500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:1692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:4844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:3696
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:4440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:5908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:2152
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:3440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:3384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:3264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:6016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:4800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:6096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe1⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:1664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:5860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:5732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:5800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:4032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:3884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:1788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:3148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:2504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:2492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:1604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:4832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:5704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:4020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:1456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:2600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe1⤵PID:5304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:2608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:4652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:4520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:3112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:4168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .1⤵PID:4148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .1⤵PID:3176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .1⤵PID:3332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:5212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:5688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:2176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:1192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:5432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:2328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:5520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:4088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:1948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:5844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:4860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:3268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe1⤵PID:4900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:4032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:5872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:3844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:6076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:1324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .1⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:5976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:1916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:2600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:5304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .1⤵PID:2716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:4660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:3840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:3900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:3008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe1⤵PID:4824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:4912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:5428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:2828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:3412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:3604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:4044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:2236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:5396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:2536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:2856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:2008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:1892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:6096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:3096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:1228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:2788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:5548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:3944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:5864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:2248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:3912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:5252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:5752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:2476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:1216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:1632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .1⤵PID:4432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:3484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:1620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:5524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:1640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:2660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe1⤵PID:5384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:3464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:1172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:2272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:3872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:4932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:5660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .1⤵PID:2648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:4992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:3992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .1⤵PID:2324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe1⤵PID:2408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:4324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:4404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:2512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:5456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:5912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe1⤵PID:4172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:2784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe1⤵PID:5712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:5352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:5612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .1⤵PID:4944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .1⤵PID:2768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:4712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:1188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe1⤵PID:3896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:4860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:2956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:4428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe1⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:1812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe1⤵PID:1796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:1092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe1⤵PID:1160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .1⤵PID:1848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:5648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:2476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:5584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe1⤵PID:5940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:5924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe1⤵PID:2484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .1⤵PID:5268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .1⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe1⤵PID:1924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .1⤵PID:4740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .1⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe1⤵PID:4632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .1⤵PID:4520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:4048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .1⤵PID:5004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe1⤵PID:4912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .1⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe1⤵PID:3656
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5321022ab706c6500b03cda74f3dc3512
SHA1933af544f58e0b62d353f853fb3ce323550f0aa7
SHA256b45e74e56d79fa80f1b72b63237120e57aa0bd4b9d5a9e0959bba72c8b8fac84
SHA512c170a5d2e29c2ae0b0395c913ea7334628c84d0467e1749d785e50ce9401168b06126f7d4cd227c5057da3f64a058f91982ab677fa1b9eb126ea13718626abd6
-
Filesize
280B
MD5961e99b4680e62cf8e3ec0a237f4a2e6
SHA17cb574a72de997245f825fbf6554d4977b50ad28
SHA256e8622ddeef4a26d8775e045f429c8f7b01b13aeb756f7c1e63a85040d0f5f9aa
SHA51238a5d5eca0460fa9cddfd65a1bea852bcd56972dba88eeb68313eefecfc3124d19f02a0a5599a8d885f3355c41f5644bdf9d3c737d7194a34ec04a1cbbe99771
-
Filesize
280B
MD57ebb217ed39d006309f3abbb16934ee2
SHA13fcf773d5c468bb2a793ac9aab32a50785811f8c
SHA25684ebb01fd3f0d5d9187508d5fc220cd1e44f78a5116a02a4e1f8113aa1f323b3
SHA512972d5f8003c05b28b2d269774bcdca43347f79e73bbab7d96deb177d1419a42573f74c126fdf06721b0666adf8e1371dc3f6b600686b7f2c858a5759ad3098cb
-
Filesize
280B
MD5ab62dfd3f2896d53b64a58d635938607
SHA12d940343296cb0d48766ccd2bba52e528d55b82c
SHA256cb47a44f6429a8846c85a3c59ac4834e116210e3ce798c748f2704cb83c9d2b6
SHA5122793d0175953852ca09ab96d5ea9b601a2e48df681f4da0b7aa62fde4dde3f07a77d6b3c66f33de9dce7079ca654bef4d7381a35485a01a008be893c9a5f33f4
-
Filesize
280B
MD58fc31d189460c9f780773c5cf2d77576
SHA12f91ef74397d0696891f2c364fe7e7dcc4064e32
SHA256b9e82f1dae0840648cb2d0da24bc114b766d372e97f01d5e7b8d38816a77843b
SHA51237777f719e5ebcb91343af5955f7eb9a0a88b98537620769cf0ade6185fa4bcd9bff808b77e9591ed2b6027dca8fc65e0441301f1fd18c0973e570ff4b72e9fb
-
Filesize
1.3MB
MD5261b1e4b300000dbd70589cc4f646461
SHA190834449df4c522d5ecf60e463ad1ec2b1994e78
SHA256d0d402fa0f1f1890d1db0d7a6f13f5e011c6ff692fefba3796fc34897f91133c
SHA5125332daad2e746e69f194024aacbafdc712078c3cf6d153679bedaa526dae25ca02f5d61f410932f151a0f7ea61624240aea8fabd6b659eea3554b5e4f96c7d6f
-
Filesize
4KB
MD5d95f94b43d2e0d744c8b574ed5bed888
SHA1103a094f27b6315934de20f1570ed710bf061f4a
SHA25632fce51116e4f9d0317f8c8af64ef8d29dff731fd940e51a1894235cbcf4ade5
SHA5126544b662c1606d1d7060e40c8f686aa0b95bf044c282e4e4c640e9a7d4836fca4e2458daf37d6af792d153baf3fd65feca99b989de824c89345e4d67dcb2be63
-
Filesize
280B
MD5253d88f77c87fb8c6c696534f08a8be4
SHA13807ff9a7c851b14990109cea00d12c55a812904
SHA2569a209e84bbd3ef5a5c9cee408fbd94b341334cd4e3b87aa63b33471ae34963e7
SHA5124143cfb7cec2bb324efe8d9ff267bbc32a81f871d74e719eb6cfe1e1e82c4d7c06e8566a0ae85dee34dedfb6aa2c65f0089a9088750ef83444fa1d68215e87b4
-
Filesize
280B
MD593ebc7d7ecd9bca1cbc7bff55ec9b213
SHA1af130de64ac1d4de9d9cccaaceff12eb9b4a2817
SHA256a21a5ba5219c11cccacd2a01e59a40506488a66737e87464c7b17113930445cb
SHA51293361be667d842d949a5154fe9c5f253a160d9878c7368e44413c12baef36658b687de110f21859f7ee80072d8171bd20f767b2386734c13a956ae8959ea33a2
-
Filesize
280B
MD5542a6b81f7fdbbf85ecff1e6e210781f
SHA1b6bcba9a5699e21c59603e61146bc6106df760da
SHA25671c02e3c31234de208cb39866cb21f69cc16c630819c8673b09d442434e94aba
SHA51240bd72b1d714db9cf221d29766dcc6f37eff84fe535d758d7584d4b263426c71fa059bf2d17164da13792835d83aa9c3c2519e78c244022e9d945fe23e8cb9e4