Analysis
-
max time kernel
98s -
max time network
309s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
29/03/2025, 10:36
General
-
Target
JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe
-
Size
500KB
-
MD5
8b1e36f6581f2277b0f8af5c27afea2a
-
SHA1
e63bbfb02b21834db1890dec85669cdc93cc3978
-
SHA256
9f1ca7fd043142e1a40113229b8764d993123647a3ea9ada7ca338f67325020e
-
SHA512
919d39e4d25266a674c0f47de00af65a07159fe082f0d9bd9976f7b2f6f49a6a6603c47dd0a6ac89512b19a73cb579cc5b593272dd219607834b5df4fd5db2e4
-
SSDEEP
12288:L1Tg5pBHxXptbN5ZRgOiBjw/C0AWzFjQ7H:LcH7tbrbIBjwuWR4H
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 48 IoCs
-
Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
-
Pykspa family
-
UAC bypass 3 TTPs 57 IoCs
-
Detect Pykspa worm 2 IoCs
-
Adds policy Run key to start application 2 TTPs 64 IoCs
-
Disables RegEdit via registry modification 6 IoCs
-
Executes dropped EXE 64 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8b1e36f6581f2277b0f8af5c27afea2a.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\vbnrxer.exe"C:\Users\Admin\AppData\Local\Temp\vbnrxer.exe" "-C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\vbnrxer.exe"C:\Users\Admin\AppData\Local\Temp\vbnrxer.exe" "-C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe .1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\vnlbtmlfqjmtydpipsz.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbynewunxprxbfqioq.exe .1⤵
-
C:\Windows\kbynewunxprxbfqioq.exekbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exeC:\Users\Admin\AppData\Local\Temp\brnbrifxgxydgjtkp.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Windows\vnlbtmlfqjmtydpipsz.exevnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe1⤵
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Windows\xrrjdyzvidiryftoxclff.exexrrjdyzvidiryftoxclff.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exeC:\Users\Admin\AppData\Local\Temp\vnlbtmlfqjmtydpipsz.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\kbynewunxprxbfqioq.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exeC:\Users\Admin\AppData\Local\Temp\ujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exeC:\Users\Admin\AppData\Local\Temp\ibarkeezlfjrxdqkswex.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\ibarkeezlfjrxdqkswex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibarkeezlfjrxdqkswex.exe1⤵
-
C:\Windows\ibarkeezlfjrxdqkswex.exeibarkeezlfjrxdqkswex.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brnbrifxgxydgjtkp.exe .1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\brnbrifxgxydgjtkp.exebrnbrifxgxydgjtkp.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\brnbrifxgxydgjtkp.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujergwsjrhhlnpyo.exe .1⤵
-
C:\Windows\ujergwsjrhhlnpyo.exeujergwsjrhhlnpyo.exe .2⤵
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\windows\ujergwsjrhhlnpyo.exe*."3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exeC:\Users\Admin\AppData\Local\Temp\kbynewunxprxbfqioq.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .1⤵
-
C:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exeC:\Users\Admin\AppData\Local\Temp\xrrjdyzvidiryftoxclff.exe .2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe"C:\Users\Admin\AppData\Local\Temp\yxurvgfaihe.exe" "c:\users\admin\appdata\local\temp\xrrjdyzvidiryftoxclff.exe*."3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD540921433543ab02562a95da06dae939c
SHA10386f3a675d9fed7e5ed69ccf6f5e5e74b11daff
SHA256ce6acb7269f951611d21a1d94309feff71012e83753c117273735d084475005c
SHA512c2f422cf7ca9be96c11d1c0a4ec6354e7aedec6f8eb7a2ac3ea0e1b9ef754b956bbc259b952d089a9725fe2fad68e4418af9ca5c8e1d348dcdc3d1cb76139598
-
Filesize
272B
MD52432cab69d89e03eec3978820c6cb121
SHA15c0d9ad6a957ad0a20b80dab886267614d6ed332
SHA2566ae314b30a5d346051d6b66f9e1420cab80be749082b942b35df71d88a089c2f
SHA51275afe2cc8296d38ec7b6c55b88be535837cc5a3324974d777c1701f8db56b1b79ce85fa44a56ffb3c9a3b75be553e1db7e2fbc5820f13116ac3dadfe4d7aeeea
-
Filesize
272B
MD58bc323e21ea140200a06b5013e817e72
SHA15e65232e5004f43ef99a828bd52a4d15110268d5
SHA2565ba61e250f5c48492ae1a6ea312a20bc78168a0a5775a6cfaf0e51cc8b4a78b5
SHA512f229e1e87b60c6174223c8c471a1a14960cd853e9855a544e2680ecb108462306739fb9355dc3325bd10034566345a9d5b450f771251d86282d1ef0772875e38
-
Filesize
272B
MD5ed763fe962884539f97eb0ed4d2507c8
SHA128a6744cefa593f31e1772031edafbeb4a15ca05
SHA256cf04b9de410a1e214044ed4df7253140ee8288858b48f0bbdf04a32603c4ba73
SHA51236451ed172eb00213d7827283e04468d4f8d1398a5080d3e381234141a4cc87011a273c414f9662a00d842ffbbedb5e5b73ab33a3b5870f39800bc1910907a7c
-
Filesize
272B
MD58ed7bab091d6be066d3c67b79092b262
SHA149c0cffa51098d0f17c41d3e46aa5c701c3029a7
SHA2566d47b340abf3eeac0f75395b5233459168effd60318fe995b1ea355f6b4171d4
SHA512c34393ecc0de12e7dd1254793cb087eb9b2d96c6a3537dfd9473603c15d8b14e9ba7ae38d44beb8ce16c87f49bca05df4e7cf9fb50a37350a5d9f9b4de834637
-
Filesize
272B
MD5c8b8fd08006412d58b9d4b3d8eb430f3
SHA1f83e483c2c26a626003abf8cc28770ee1538f020
SHA25693d3aeee015b04b5d8dbc8327b350237d894ade5d51c2bcda7b6867ba87b74d2
SHA512e1c3cb50591690e3bd0747ea01ba28e1cd791a0925cd46025f1c91f04917c504d60c57444359564f06d6fb17bc83122df91fce838f815793d270a60383054a8e
-
Filesize
272B
MD50b45f28dba258ecd8005da2b05f7fc7b
SHA1174ccead30dde559d8f5c18b378136e7713343e3
SHA25633354d9cf5fe31eda2d178a9f41ff9f821360b7a9466ebee7dc8deb84583586a
SHA5126557a86a5b8fec9cba699798ad0cdb2e590f000bfc80440324c2e0dfcb9b5b95b3d771ebf91dd38aa56a8d5c2ac55c35d422be4defb9b54eb78e8096f74abd0f
-
Filesize
272B
MD5882096a0439191e97a5bcdc49ba372d7
SHA191b0f0cd589d749ea8e613f58204b2043b1d5dc6
SHA2565b992aee26e6519739004a53c763be7a05570651646b9887e2eb6b49b74cba8e
SHA5126ea887518f9e1d8766d8ed213b6766fc44b31e10eb2f232c18069407010de4ab2e390354f8943a2a9c543f8f63d06352005b52395a63b5809ddda650cd992a3f
-
Filesize
272B
MD5b27c1aa0f9a386d13f9bcd05d37397a6
SHA1009985ecafd883936e09e8181ea6f75b4cc37258
SHA2569cdfd186b63fa672b22ce2cc9983064364ec1d18b453fb6ed77f37f7f2e6ab40
SHA5120bbbf0389366dca489c81c753dd5e124dd2b0958429521deabf4ab7f3ede02d4351d2cc67d594f8f89caadba5ff9112d6bc51b112377e94ae0be4f22c0aba1d8
-
Filesize
272B
MD511c21c16444debe353f1635eb2744764
SHA1ff676b5df85027eae2c931b0c6a10dc5821c80cf
SHA2566756663727f095ed8c9ab6eb10b268b6ed9f9c17ded68f5544d5aada3d456eb4
SHA5123b7b8ff3c16e734598054ed365fc16fa1add4b24956c8d7b05b34708814c16d2f51a58d72c8a137ea713a54412b4db1615246c81b3f44c96a868d81b6fc64488
-
Filesize
272B
MD555469f5f186fa449c5733f3a98401060
SHA1d187be2cb560b6f56309405762c84e4a05dd28b8
SHA2568b45441c047709cd087fae68e18f8064a10c1e9a81533f29ce5606bb62a6784f
SHA5122aaea3e94393be42e695f928015f9585a0c944078e2e1eb48c9d7f6cb4926fd0aeb208997bf63bbed4f7791be14695c1d34d416c944c0a4befa08d4ad538b876
-
Filesize
272B
MD503b1074f0f715d99175f640f502467fb
SHA1a53a73f5900c9cb6f94608627df7ef0adeacd39d
SHA2561df961c3eb9e3e6e3709a69876ca2ae83796714e4ac3a70b4475f3bbce68ff17
SHA512727ff579251d2a2626cdf57b42f82f0b371e1c50608d9fac9d742340c5e8a25946a84c91dddf6e936a398b7b95062f55b040ba1b67fcbf0cb5fbae221a175ca7
-
Filesize
708KB
MD5d586d6053ed07fa0d52fe2d73cad7729
SHA1b2d7d54d1128e19e191ac7c469316f8a575d56c1
SHA256a1327d77ca71e222eeec40482e47b7a26e797eb63078f2a3ba710e115f7d6ba1
SHA5127e0195d608c464246513ae7123be3ae127b314c7d0aee776d2afb3950a156e11510b95e1be8f6e3c6770e5dc52144cbb664f63bcaf172a3fcfc90975c25aeb0e
-
Filesize
320KB
MD5eb09c682903ecbd87f30b0366e008d8f
SHA159b0dc27c06ce536327490439a37751a3dbd5e38
SHA256c4b122f7bab30363b472a3dffb8a7c61604c0ec4719ebd233ccbac8be0951be1
SHA51283236c0955b81375666c10445d2cf5e4723b24e42e4ee5fb951f53945483be2fff5c8ef167f08cfad3accc162c61e750bb1039edbf09e26afe18cba2f994eb5d
-
Filesize
3KB
MD5f2f706d13de686b0ebc34394e9866479
SHA10a516a5536982527db3e56ec9173e1cc25dfcef5
SHA256397c3aae7f7143faf131e87c9349f89a91fc7a959a7635f6525197df311fc4d0
SHA5128fe149a4b6c6c6db9d44b7f2b21584cf9b76bad924c2e7ff087ca700062c756548316aa1810ef50f136582ff4e2f2560d44cd87426fda891f7bb2e68fe1bd6d9
-
Filesize
272B
MD51a57184f8dfb24f423f9e43fe9cbb178
SHA1109779b4f49f92f51646460be254dedc79b4630d
SHA2563b888f32d0fcf30be80febb2822ff5cd02fdbd63750dfd047c8370eb06856901
SHA51263aa9a7fa3388b50324d7d5975c02ddcbbc1a1ad8ffeb2745aa09c8458e1e9f2af5f703817a00ae2247f31628b1edadbbee2c364db75481f7b719e949a7665d0
-
Filesize
500KB
MD58b1e36f6581f2277b0f8af5c27afea2a
SHA1e63bbfb02b21834db1890dec85669cdc93cc3978
SHA2569f1ca7fd043142e1a40113229b8764d993123647a3ea9ada7ca338f67325020e
SHA512919d39e4d25266a674c0f47de00af65a07159fe082f0d9bd9976f7b2f6f49a6a6603c47dd0a6ac89512b19a73cb579cc5b593272dd219607834b5df4fd5db2e4