Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/04/2025, 19:53
Behavioral task
behavioral1
Sample
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
-
Size
320KB
-
MD5
cf6315a04080fc61fa1bcc006d0dbb52
-
SHA1
e42959df583c9197204a1f907c7731334498693e
-
SHA256
01de46a840296756d1f790f69c54859ecb26e8fb76b5f5f31436f8df6decb818
-
SHA512
176169456fc2d3f48b756c852e652e3b3a01c08baaaf1380d5d62eec098ca5e804d89fd6323f2d6c8a4caf0a4ad30fb9a609cf2f99f5c57a4f3a28a3c74e3479
-
SSDEEP
6144:oTw1o1IV3puaibGKFHi0mofhaH05kipz016580bHFP86JQPDHDdx/Qt6R:GTgvmzFHi0mo5aH0qMzd5807FPPJQPDF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zajucjp.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral2/files/0x001a00000002b1b7-9.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zajucjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" zajucjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe -
Executes dropped EXE 2 IoCs
pid Process 448 zajucjp.exe 5104 zajucjp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power zajucjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys zajucjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc zajucjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager zajucjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys zajucjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc zajucjp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "bqnmidxvqdjpabvfzrpeb.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "mawupjcztfkpzzsbuliw.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "bqnmidxvqdjpabvfzrpeb.exe" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" zajucjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." zajucjp.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zajucjp.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 2 www.whatismyip.ca 2 whatismyip.everdot.org 2 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe File created C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe File opened for modification C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe File created C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe File created C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe File opened for modification C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe File created C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe File created C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd zajucjp.exe File opened for modification C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe File created C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl zajucjp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zajucjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zajucjp.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings zajucjp.exe Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings zajucjp.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe 5104 zajucjp.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 448 zajucjp.exe 5104 zajucjp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5104 zajucjp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3516 wrote to memory of 448 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 94 PID 3516 wrote to memory of 448 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 94 PID 3516 wrote to memory of 448 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 94 PID 3516 wrote to memory of 5104 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 95 PID 3516 wrote to memory of 5104 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 95 PID 3516 wrote to memory of 5104 3516 JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe 95 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zajucjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zajucjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zajucjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zajucjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zajucjp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:448
-
-
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:2940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:3196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:2280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:5872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:4108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:2348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:2520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:4756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:4292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:3556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:2740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:3704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:2044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:5412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:4304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:3808
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:4540
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:3144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:2352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:1756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:2664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:3464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:5704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:2400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:5664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:5588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:3920
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:4752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:2516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe1⤵PID:4620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5220
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:1440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:5780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:5536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:5348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:4708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:5028
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:5148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:5124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:2820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:2432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:5412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:5264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:2812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:3008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:3680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:5356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:3148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:5344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:3124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:1404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:6140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:3752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:3044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:6080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:1740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:5704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:1548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .1⤵PID:5720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:5256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:2784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:5228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:2944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:2284
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:5780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe1⤵PID:5536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:5884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:4384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .1⤵PID:464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:4728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:4732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:4720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:5660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:2072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:5400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:3424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:1856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:1136
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5812
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:1012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:5592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:5344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:2276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:4216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:3912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:2728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:4904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:5172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:3420
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:5128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .1⤵PID:3356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:1504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5644
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:5584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .1⤵PID:4784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:5608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:5832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:1416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:5224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:5880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:6096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:5092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:5148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe1⤵PID:4180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:5072
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:5660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:3696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:2468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4272
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:1592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:5412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:3660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:3904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:5356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .1⤵PID:5528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:2212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:1800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe1⤵PID:2340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe1⤵PID:1744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:4216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:2148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:5280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:5928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:2804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:4736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe1⤵PID:5732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:1332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:3536
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .1⤵PID:5364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:4020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .1⤵PID:1552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe1⤵PID:5276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:4620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:5228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .1⤵PID:976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:3788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .1⤵PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe1⤵PID:3552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .1⤵PID:1932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe1⤵PID:4720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:2740
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe1⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .1⤵PID:6056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe1⤵PID:2088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe1⤵PID:1792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .1⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .1⤵PID:1008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe1⤵PID:3204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .1⤵PID:2696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe1⤵PID:3808
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5121382bd20bc1c619d234fa0a041d3a0
SHA1adb91f000da4d2f53bc01475b76aa838e7efefd2
SHA2568ed9da938753b8d5d4427f2868cb30ce4be845d75bbc745ce42f89047023395e
SHA512dec97bfd8f9523ec6f576791da552da8745fa668950a9199260b4cf1e21843c77142581a68cab253e9b329cba0320fec84029d4dae33964280bdadeb3a742507
-
Filesize
280B
MD509a2aec5073f12c1368259ac906d8462
SHA1f8010cca90adb8b1cef9a89524d4fb4468409f02
SHA2560cf5d4c4a870ec88b8d837b87369f7cdee998ae471b8fb26f71f489dbbc58fd8
SHA512b4ea65f8cfdd2cb168e0c076d25ea229671dd6b80e0ff8512424fb3f2172708597e49dfb2865a5e1f0bbc3afc4782a0bb5967a351f5744509602d5d5ebc0ec4a
-
Filesize
280B
MD5819c70becf33b3e8b688faee9623b8d1
SHA1091be6859dcb5b997b31c9d6b995e2cc5ac3de7c
SHA25607fcea2eb4dd55cf13ed76de46b1ce32fc4efbbb90394ce2778905418cdd7907
SHA5124e16cba6e08f088c9711418cad8582ab8ab3aa7d9fea0c9b1f8c5594d42c54c28bb7ca391b353828cc62950d76f3bce4ee2aa23ccb57ced91c4d4eae6cf91114
-
Filesize
280B
MD52e20891b2614993920bd77e9e75c73d5
SHA15841f75dcddf0ec02b2a82ee9801846c8958325f
SHA2566dcdb4c5edc34dcfad5cda57cff95b4b5dff6309d32135164e8f68da3f9c24c0
SHA5121c4143e969afec11f0ca7360b7b0550ebb6ac8514d7e7f7ef8158dd24796bb9a11036c7b378654dbad2d5a5ec5c0274ab5640261fa87d4fa76b73ff1bf2db54d
-
Filesize
280B
MD5f44d2b791f28986c5e705e6993e1e09e
SHA10760eb3966b20acf2f706aa0c7872bb1f6e0c486
SHA25626aab8cb6dc3adadfa28e4095131a125e03409fc5de3b158ab01f70e6fc0ccf0
SHA512bd48ef352b6989f53ebeaf9dc9ff3c18f4a93d938e849c1b3ecc582876885dc1b2c60678e9a5d6d21c9eaf1e04164d8327e1304a3677ae47fc2302996fd73865
-
Filesize
280B
MD53e3730a8bc543879b55b272fe81fbaa1
SHA188f60a76f789f3b202ff4d3a14f40f79966d9c39
SHA256a77562009bcc91391776a1360fd0e431b285ed0ca7775d6d8d3694a1d030b272
SHA512e0126d0ab0c5850ddd3c4d18659b559fc715ed98ed831ed1fa050f7ea9033f30d55d7a21356ca5442217c64c9a793ead4ed108dfaaf9d1cf2f4f4b39bd9a3391
-
Filesize
280B
MD53445fa7c173ffdbdbb914e417eac7f9e
SHA161b0fde832be854f7c88c83c41cea9ad6be13e1e
SHA25641bd5a6cf0d49a29689c8289c36c1f31a5a92e0a920e4cfb9d6ab484f9422c07
SHA512ab2e7996186fd33102a2c58e9986288127e127f2e2a70b4b9fbae8d2b6300b8a932882df17151004673147e076449ff15c07ee4d4e16050de59195131f2a734b
-
Filesize
688KB
MD5a230e65b65f4ecc78c2f57dcb83d52da
SHA1766d2fe9937d8f1ee207dcc5acf9d5231055eded
SHA256ad10a1fd08d65185ec4a6ce01accc9c06b6ce358e92dc0d7c867c77b97c689b1
SHA512054c0247fdccadd46fb34534c4e8501955782747d7f82cc632d08d4b91ae01ffb9f108e5c31532147eb29c3d0244c4d070968c602c5e0b52dcda764f651b99ad
-
Filesize
280B
MD528bb6159343d936c2d60d6a292824a0c
SHA18b06a7c5f4fc836eb87f8ac7aec1946c198b53e7
SHA256af419d26e576c40acaab1f28c86b6702fc5450930995519d75ca74b4ca765a1f
SHA512fce9cbe66fda8c80e8c7fd1e960d98c92aa04ce7c37c8dfa534a8e2740cabad89fbafcebef7d2f28b4fdbe479f2db9e9bac0e8fbf4034ef2074f05fe8045cb2b
-
Filesize
4KB
MD5bcaea745cafa929d8bb71f6a32b0bf20
SHA19fe2bd5a2af9ff22757e90611371e8cb7a69a455
SHA25668b5baab15b51b6838c259ca4942b813604a5c7a4822e85c881479d126df4159
SHA512472631fcfcf55c33b6fd86ac12c730fe51cc3ea4f69d00f3822c54eb89810573572685ed3339b25caca75d110d54934a06333be824ee17030f31ee55b53cfa6d