Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2025, 19:53
Behavioral task
behavioral1
Sample
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
-
Size
320KB
-
MD5
cf6315a04080fc61fa1bcc006d0dbb52
-
SHA1
e42959df583c9197204a1f907c7731334498693e
-
SHA256
01de46a840296756d1f790f69c54859ecb26e8fb76b5f5f31436f8df6decb818
-
SHA512
176169456fc2d3f48b756c852e652e3b3a01c08baaaf1380d5d62eec098ca5e804d89fd6323f2d6c8a4caf0a4ad30fb9a609cf2f99f5c57a4f3a28a3c74e3479
-
SSDEEP
6144:oTw1o1IV3puaibGKFHi0mofhaH05kipz016580bHFP86JQPDHDdx/Qt6R:GTgvmzFHi0mo5aH0qMzd5807FPPJQPDF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hpufno.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral1/files/0x000c000000023f84-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Executes dropped EXE 2 IoCs
pid Process 2692 hpufno.exe 3988 hpufno.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager hpufno.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys hpufno.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc hpufno.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power hpufno.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys hpufno.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc hpufno.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "tlavnyogthcncuzn.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "hdwvrgawnfetmirjlpdz.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "tlavnyogthcncuzn.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "hdwvrgawnfetmirjlpdz.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "jdurlyqkzpmzqkrhhj.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "jdurlyqkzpmzqkrhhj.exe ." hpufno.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "wtnnkavskddtnkunqvkhb.exe" hpufno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." hpufno.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hpufno.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 www.whatismyip.ca 26 whatismyipaddress.com 30 www.showmyipaddress.com 33 whatismyip.everdot.org 37 www.whatismyip.ca 46 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File created C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File opened for modification C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe File created C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File created C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File opened for modification C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe File created C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File created C:\Windows\glnvaybgghpnpumnylinpxcad.ijr hpufno.exe File opened for modification C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe File created C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr hpufno.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpufno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpufno.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings hpufno.exe Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings hpufno.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe 3988 hpufno.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2692 hpufno.exe 3988 hpufno.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3988 hpufno.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3520 wrote to memory of 2692 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 107 PID 3520 wrote to memory of 2692 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 107 PID 3520 wrote to memory of 2692 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 107 PID 3520 wrote to memory of 3988 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 108 PID 3520 wrote to memory of 3988 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 108 PID 3520 wrote to memory of 3988 3520 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 108 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hpufno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hpufno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hpufno.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\hpufno.exe"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\hpufno.exe"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:1212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:5072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:4360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:4208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe1⤵PID:2912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:5008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:1232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:4376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:3624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe1⤵PID:2124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:1512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:3912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:4348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:5060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe1⤵PID:5072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:2232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:3296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe1⤵PID:1916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:3624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:3932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:4800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:4900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:4332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:4128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:4656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:2244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:1784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:3832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:1240
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:1228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe1⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .1⤵PID:3300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:2528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:4860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:2184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:5060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:3416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:2612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:4340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe1⤵PID:1512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:4916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:2984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:2184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:3304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe1⤵PID:3808
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:1824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:2220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:5080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:1504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:3892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:3520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:1504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:3648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:3652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe1⤵PID:772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:1356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:1540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:4936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe1⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:4252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:2000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:1444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:2976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:2012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:3568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:5100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:3816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:2124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:2784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .1⤵PID:4712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:2044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:1736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .1⤵PID:464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:1040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:3888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:3884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe1⤵PID:4592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .1⤵PID:4896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:3652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:3008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:4408
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:2016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:2708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:3804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:1476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:1080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:3448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:2000
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:3272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:2020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:3860
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:3668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe1⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe1⤵PID:2216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:1604
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .1⤵PID:4952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe1⤵PID:5020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:4052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:1564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:4708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:1952
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:1476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:4060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .1⤵PID:4376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:1864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe1⤵PID:3368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .1⤵PID:1656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:4876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:1932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .1⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:3080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:4316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe1⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .1⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .1⤵PID:4452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe1⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .1⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:1080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe1⤵PID:1248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe1⤵PID:1772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .1⤵PID:3752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:4888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .1⤵PID:628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .1⤵PID:432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe1⤵PID:4680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .1⤵PID:1544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe1⤵PID:3300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe1⤵PID:1336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .1⤵PID:4792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe1⤵PID:1612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .1⤵PID:1272
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5979fee17b9f7215b9d5b6e9afc93d64a
SHA1fc5864bfdd0816edf3999b6284cac7b0d6d57ea9
SHA256f83c605083fe60625018f1369a89df8c4d6646f3f02074dfffe932ff6547c001
SHA5129939be7347ff182b861d43ebe1f72becaef3c3c9fcacf3c1ba9cc163abb45e704302b104e206ebabc0ca5b0baca7d3716d9d720818687aa30b3c190ac0471da5
-
Filesize
280B
MD5d459ff9e5a47f0496c604d1012731e2c
SHA17b3a84cc6ba5ecf72b040d3cfc12f6d09cb57fb3
SHA2566221a88039f51dbbdbe9274b0ce525521869367be2444f3d871d29ebc132f8bb
SHA5123fc6606fba91c5cf0ae34bd4a57ab0927777d11213b5ea823e1fb20fa055dbea652f8c9a175a31ac2ff810165ed6890c476a577fd5095a547fa1b2de1cbc19cc
-
Filesize
280B
MD5ca86d1ad17faf524899121a2742b3bad
SHA1ad7d3493428c2bb8056a595b9169ddb0f1e4e91b
SHA25655338ba5aaef0254786a94d03c5c31a58289f1740adbec7e540c9ae5be5d1e3e
SHA5125c1a6ed008a859bbfea7c1ea0f924f30abc019001331538a87807c4632c088ca8bb37baa5754c27954e77f8b6a435e39e509cf9ce9945956a810024ff0c60555
-
Filesize
280B
MD524bc4b10dee749ffa4f9c3b767a613c0
SHA104a3d0143d7a07902eda92ee393c2625f0cb32b0
SHA25641bb936a4837bafafbc707d5bd0060f80ae5844c42c915f39c4b04e6229a99f0
SHA512074579645ec78eec067ee6ba9b1d01547126085e0a9cafa3ee7ae6be2e0e2bbd5de02e0b162a676bcfcb886aa66c7957d6fa13319fa92fe31477bff9e9e29597
-
Filesize
696KB
MD5d1ca361a3095142de460726b262fbf7b
SHA1f0f3f7ca1dba79755ba6869667160ebb51de99cd
SHA256fae4fad367b4cdb332c50fa5fb8b3a4c0a7f756653469920a80280996245c3ef
SHA51216c8bd013364e6ff83aae04e01fc505e73d3a8d744afd778c00c7ccdc15c1e3dc23b48b3b694486d91afc79f7b7a8b4d5f101fe8760b8c47fe6f03f23224738f
-
Filesize
280B
MD541ed5b57317aea5a47eeb45744fe32e6
SHA11a6024df272b023358c0821d4eab7ea115b282d2
SHA25676c69905ebf3e8876b4776b5bd464e8c10c7699cc08b108b7320131cf16bc4d2
SHA512eb52bfd6082ab3259013fd510074b4b3270cb165c6d73931c30832669892fd2ba2c876d04ab124dd6c06ea1606cc09c76c755926be4317446611cd45df3789be
-
Filesize
280B
MD5d93b1f34af6fd395b5a9e750a43feccd
SHA199dafb8a429fef4c0ae7cc724727cf641975c025
SHA2563f6f17f769829f55dd4525a1c99f6798df57bd090bb509526bed26419a824046
SHA5123164fe177a0928b93360f57d02bcf0772bffcb36a217f08ad895aa29c621ae275b549367703f433bd6bde97334d1fc866321b6301f713f26b9fbdfc58bae4f96
-
Filesize
280B
MD5ef60008bc71d4c21d7d3a386e0d159a2
SHA162571b4a570b711ce52d03342eda0000cdd29b5b
SHA256e2b23ccfa82bbc527109d16abb72cd7b4e3efbe68188d7c2e9a6e34c118344f9
SHA512d78f0c1b87ce0e84c24c247a18a5a19b3fcc24463aefbf9168ddf27d0990a9d4069dfe792fdafe00d9b8117159c4ecc2505b97ebd2987e4cdaf9616b2ecee991
-
Filesize
280B
MD5c5ba0f58943338a2260f59bc9979dc64
SHA1ed189c36e762615fab7f848997abab9bf4a6c505
SHA25658b5d25951df8aa767bf5b69af7054785e423f078aa0475f907b6f81848b0073
SHA512176697ccdfaae5d3dd30237f91e32cff1e4be26ed6b3b2a0fcc47b04b1cc4a1d8d749a2a1d22eae9b62862218af8e2d6876ceddc3bf2d62b79e90a923126b75c
-
Filesize
4KB
MD5c761e7d3ec65e0915155396cf967c2ed
SHA1d1c2620d7846feb67fc62fbdb6f5800929d7a7ee
SHA2563d21de5b20677e59770a73fe68161d4940b4d8f69ceda46309413e257ecd642b
SHA5121342a941571f7c569cf842c12f3990f0491d1ffc3c892b9020daa8ad57e41b3e04ef554a44cc359741eac95f423a0d7f069988c1299545a3ad26ce4587d433f1