Analysis
-
max time kernel
51s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/04/2025, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
-
Size
1016KB
-
MD5
b9c1a84350d1c4881dd1eac4ffb453b0
-
SHA1
e2c094bbe105e9ced9c996c140f4fb1ae5f48585
-
SHA256
19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
-
SHA512
4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c
-
SSDEEP
6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:KIXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe -
Pykspa family
-
UAC bypass 3 TTPs 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zbmsads.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000700000002a1d4-4.dat family_pykspa behavioral2/files/0x001900000002b26f-83.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "obxohvvgyrlxyacgte.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "mbzsndfsmhdruycixkix.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "yjdsjvtcsjblkkkm.exe" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzretdzgujzhec = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tzoykrkozly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe -
Executes dropped EXE 64 IoCs
pid Process 2608 sxrmhekochb.exe 4932 brqkgxaojfcrvafmcqpfe.exe 4856 brqkgxaojfcrvafmcqpfe.exe 4372 sxrmhekochb.exe 412 brqkgxaojfcrvafmcqpfe.exe 5372 mbzsndfsmhdruycixkix.exe 4636 brqkgxaojfcrvafmcqpfe.exe 4916 sxrmhekochb.exe 3592 znkcwlmyrlgtvybgugd.exe 1112 sxrmhekochb.exe 5756 brqkgxaojfcrvafmcqpfe.exe 4908 mbzsndfsmhdruycixkix.exe 2796 sxrmhekochb.exe 868 zbmsads.exe 4700 zbmsads.exe 4500 obxohvvgyrlxyacgte.exe 3588 yjdsjvtcsjblkkkm.exe 5688 obxohvvgyrlxyacgte.exe 3316 brqkgxaojfcrvafmcqpfe.exe 1496 sxrmhekochb.exe 3172 sxrmhekochb.exe 3096 brqkgxaojfcrvafmcqpfe.exe 2760 frmcuhgqhzsddefiu.exe 3160 znkcwlmyrlgtvybgugd.exe 4976 frmcuhgqhzsddefiu.exe 2068 obxohvvgyrlxyacgte.exe 4708 sxrmhekochb.exe 3408 mbzsndfsmhdruycixkix.exe 2484 brqkgxaojfcrvafmcqpfe.exe 248 sxrmhekochb.exe 2936 sxrmhekochb.exe 3360 brqkgxaojfcrvafmcqpfe.exe 1168 brqkgxaojfcrvafmcqpfe.exe 2540 obxohvvgyrlxyacgte.exe 2556 znkcwlmyrlgtvybgugd.exe 4556 sxrmhekochb.exe 1640 obxohvvgyrlxyacgte.exe 3504 sxrmhekochb.exe 3780 sxrmhekochb.exe 3076 frmcuhgqhzsddefiu.exe 4988 mbzsndfsmhdruycixkix.exe 1828 sxrmhekochb.exe 3908 yjdsjvtcsjblkkkm.exe 964 yjdsjvtcsjblkkkm.exe 4636 brqkgxaojfcrvafmcqpfe.exe 5188 sxrmhekochb.exe 5040 mbzsndfsmhdruycixkix.exe 5184 sxrmhekochb.exe 5136 znkcwlmyrlgtvybgugd.exe 1112 mbzsndfsmhdruycixkix.exe 5128 sxrmhekochb.exe 4136 brqkgxaojfcrvafmcqpfe.exe 1628 mbzsndfsmhdruycixkix.exe 5636 sxrmhekochb.exe 3380 znkcwlmyrlgtvybgugd.exe 4248 obxohvvgyrlxyacgte.exe 2964 brqkgxaojfcrvafmcqpfe.exe 920 brqkgxaojfcrvafmcqpfe.exe 2296 brqkgxaojfcrvafmcqpfe.exe 1536 sxrmhekochb.exe 104 yjdsjvtcsjblkkkm.exe 5020 mbzsndfsmhdruycixkix.exe 5912 znkcwlmyrlgtvybgugd.exe 4212 sxrmhekochb.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys zbmsads.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc zbmsads.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power zbmsads.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys zbmsads.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc zbmsads.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager zbmsads.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "obxohvvgyrlxyacgte.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "yjdsjvtcsjblkkkm.exe" zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "znkcwlmyrlgtvybgugd.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "yjdsjvtcsjblkkkm.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "mbzsndfsmhdruycixkix.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "frmcuhgqhzsddefiu.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "znkcwlmyrlgtvybgugd.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "brqkgxaojfcrvafmcqpfe.exe" zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "mbzsndfsmhdruycixkix.exe ." zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "frmcuhgqhzsddefiu.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\qxnyltnserfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "yjdsjvtcsjblkkkm.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxoaoxsylzovr = "brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjdsjvtcsjblkkkm = "yjdsjvtcsjblkkkm.exe ." zbmsads.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbzsndfsmhdruycixkix.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "yjdsjvtcsjblkkkm.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "znkcwlmyrlgtvybgugd.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yjdsjvtcsjblkkkm.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frmcuhgqhzsddefiu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obxohvvgyrlxyacgte.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdwkaliqfvmvtsr = "frmcuhgqhzsddefiu.exe" zbmsads.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obxohvvgyrlxyacgte = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqkgxaojfcrvafmcqpfe.exe" sxrmhekochb.exe -
Checks whether UAC is enabled 1 TTPs 50 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zbmsads.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zbmsads.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zbmsads.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.showmyipaddress.com 1 www.whatismyip.ca 1 whatismyip.everdot.org 1 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf zbmsads.exe File created C:\autorun.inf zbmsads.exe File opened for modification F:\autorun.inf zbmsads.exe File created F:\autorun.inf zbmsads.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe zbmsads.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe zbmsads.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe zbmsads.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe zbmsads.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe zbmsads.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File created C:\Windows\SysWOW64\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo zbmsads.exe File opened for modification C:\Windows\SysWOW64\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq zbmsads.exe File opened for modification C:\Program Files (x86)\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo zbmsads.exe File created C:\Program Files (x86)\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo zbmsads.exe File opened for modification C:\Program Files (x86)\ljqswvgcfjolxkxmkgnlsuyxi.hlq zbmsads.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe zbmsads.exe File opened for modification C:\Windows\ljqswvgcfjolxkxmkgnlsuyxi.hlq zbmsads.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo zbmsads.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File created C:\Windows\qzretdzgujzhecaajqirjwlvrymbrzwussbi.jbo zbmsads.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\obxohvvgyrlxyacgte.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\sjjebtxmifdtyeksjyyppk.exe sxrmhekochb.exe File opened for modification C:\Windows\brqkgxaojfcrvafmcqpfe.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\mbzsndfsmhdruycixkix.exe sxrmhekochb.exe File opened for modification C:\Windows\znkcwlmyrlgtvybgugd.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\frmcuhgqhzsddefiu.exe sxrmhekochb.exe File opened for modification C:\Windows\yjdsjvtcsjblkkkm.exe sxrmhekochb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbzsndfsmhdruycixkix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxohvvgyrlxyacgte.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqkgxaojfcrvafmcqpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjdsjvtcsjblkkkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znkcwlmyrlgtvybgugd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frmcuhgqhzsddefiu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 868 zbmsads.exe 868 zbmsads.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 868 zbmsads.exe 868 zbmsads.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 868 zbmsads.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6104 wrote to memory of 2608 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 231 PID 6104 wrote to memory of 2608 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 231 PID 6104 wrote to memory of 2608 6104 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 231 PID 488 wrote to memory of 4932 488 cmd.exe 276 PID 488 wrote to memory of 4932 488 cmd.exe 276 PID 488 wrote to memory of 4932 488 cmd.exe 276 PID 1828 wrote to memory of 4856 1828 cmd.exe 275 PID 1828 wrote to memory of 4856 1828 cmd.exe 275 PID 1828 wrote to memory of 4856 1828 cmd.exe 275 PID 4856 wrote to memory of 4372 4856 brqkgxaojfcrvafmcqpfe.exe 86 PID 4856 wrote to memory of 4372 4856 brqkgxaojfcrvafmcqpfe.exe 86 PID 4856 wrote to memory of 4372 4856 brqkgxaojfcrvafmcqpfe.exe 86 PID 4420 wrote to memory of 412 4420 cmd.exe 284 PID 4420 wrote to memory of 412 4420 cmd.exe 284 PID 4420 wrote to memory of 412 4420 cmd.exe 284 PID 4328 wrote to memory of 5372 4328 cmd.exe 297 PID 4328 wrote to memory of 5372 4328 cmd.exe 297 PID 4328 wrote to memory of 5372 4328 cmd.exe 297 PID 5136 wrote to memory of 4636 5136 cmd.exe 183 PID 5136 wrote to memory of 4636 5136 cmd.exe 183 PID 5136 wrote to memory of 4636 5136 cmd.exe 183 PID 5372 wrote to memory of 4916 5372 mbzsndfsmhdruycixkix.exe 98 PID 5372 wrote to memory of 4916 5372 mbzsndfsmhdruycixkix.exe 98 PID 5372 wrote to memory of 4916 5372 mbzsndfsmhdruycixkix.exe 98 PID 2724 wrote to memory of 3592 2724 cmd.exe 99 PID 2724 wrote to memory of 3592 2724 cmd.exe 99 PID 2724 wrote to memory of 3592 2724 cmd.exe 99 PID 3592 wrote to memory of 1112 3592 znkcwlmyrlgtvybgugd.exe 192 PID 3592 wrote to memory of 1112 3592 znkcwlmyrlgtvybgugd.exe 192 PID 3592 wrote to memory of 1112 3592 znkcwlmyrlgtvybgugd.exe 192 PID 5100 wrote to memory of 5756 5100 cmd.exe 103 PID 5100 wrote to memory of 5756 5100 cmd.exe 103 PID 5100 wrote to memory of 5756 5100 cmd.exe 103 PID 5156 wrote to memory of 4908 5156 cmd.exe 106 PID 5156 wrote to memory of 4908 5156 cmd.exe 106 PID 5156 wrote to memory of 4908 5156 cmd.exe 106 PID 4908 wrote to memory of 2796 4908 mbzsndfsmhdruycixkix.exe 107 PID 4908 wrote to memory of 2796 4908 mbzsndfsmhdruycixkix.exe 107 PID 4908 wrote to memory of 2796 4908 mbzsndfsmhdruycixkix.exe 107 PID 2608 wrote to memory of 868 2608 sxrmhekochb.exe 108 PID 2608 wrote to memory of 868 2608 sxrmhekochb.exe 108 PID 2608 wrote to memory of 868 2608 sxrmhekochb.exe 108 PID 2608 wrote to memory of 4700 2608 sxrmhekochb.exe 109 PID 2608 wrote to memory of 4700 2608 sxrmhekochb.exe 109 PID 2608 wrote to memory of 4700 2608 sxrmhekochb.exe 109 PID 1792 wrote to memory of 4500 1792 cmd.exe 112 PID 1792 wrote to memory of 4500 1792 cmd.exe 112 PID 1792 wrote to memory of 4500 1792 cmd.exe 112 PID 2200 wrote to memory of 3588 2200 cmd.exe 213 PID 2200 wrote to memory of 3588 2200 cmd.exe 213 PID 2200 wrote to memory of 3588 2200 cmd.exe 213 PID 3888 wrote to memory of 5688 3888 cmd.exe 219 PID 3888 wrote to memory of 5688 3888 cmd.exe 219 PID 3888 wrote to memory of 5688 3888 cmd.exe 219 PID 2732 wrote to memory of 3316 2732 cmd.exe 121 PID 2732 wrote to memory of 3316 2732 cmd.exe 121 PID 2732 wrote to memory of 3316 2732 cmd.exe 121 PID 5688 wrote to memory of 1496 5688 obxohvvgyrlxyacgte.exe 124 PID 5688 wrote to memory of 1496 5688 obxohvvgyrlxyacgte.exe 124 PID 5688 wrote to memory of 1496 5688 obxohvvgyrlxyacgte.exe 124 PID 3316 wrote to memory of 3172 3316 brqkgxaojfcrvafmcqpfe.exe 129 PID 3316 wrote to memory of 3172 3316 brqkgxaojfcrvafmcqpfe.exe 129 PID 3316 wrote to memory of 3172 3316 brqkgxaojfcrvafmcqpfe.exe 129 PID 1936 wrote to memory of 3096 1936 cmd.exe 133 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zbmsads.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zbmsads.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zbmsads.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\zbmsads.exe"C:\Users\Admin\AppData\Local\Temp\zbmsads.exe" "-C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\zbmsads.exe"C:\Users\Admin\AppData\Local\Temp\zbmsads.exe" "-C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Executes dropped EXE
PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵
- Executes dropped EXE
PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵
- Executes dropped EXE
PID:1112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Executes dropped EXE
PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Executes dropped EXE
PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5388
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:3136
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- Executes dropped EXE
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:2708
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵
- Executes dropped EXE
PID:248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵
- Executes dropped EXE
PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵
- Executes dropped EXE
PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- Executes dropped EXE
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Executes dropped EXE
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵
- Executes dropped EXE
PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- Executes dropped EXE
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Executes dropped EXE
PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:4196
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:6000
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵
- Executes dropped EXE
PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:1980
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵
- Executes dropped EXE
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:2836
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵
- Executes dropped EXE
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Executes dropped EXE
PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵
- Executes dropped EXE
PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:4888
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:4136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:484
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵
- Executes dropped EXE
PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:3924
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:5844
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵
- Executes dropped EXE
PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:2612
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- Executes dropped EXE
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Executes dropped EXE
PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:5340
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:2400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:2008
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵
- Executes dropped EXE
PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5688
-
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵
- Executes dropped EXE
PID:104 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:2384
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- Executes dropped EXE
PID:5912 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:1044
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:5632
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:3600
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4460
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:4052
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4616
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5060
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:6112
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵
- System Location Discovery: System Language Discovery
PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:1932
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5484
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4456
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:5664
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2604
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:3048
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:5316
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:5852
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5204 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4460
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:3424
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:6060
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:4632
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:4108
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:3728
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:1076
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:5196
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:2272
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:8
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:3008
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5844
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:4264
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:3960
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:2040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3160
-
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:836
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:2760
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2060
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:4724
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:4744
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:4052
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:1348
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:224 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:488
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:5392
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:1104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4828
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:1112
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:3864
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:2876
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:5520
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:4024
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:5228
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:3808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:3036
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:1696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:248 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:240
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:6140
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:4104
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2424
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:1524
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:2516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6000
-
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:5032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:484
-
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:3008
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5008
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:440
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:4560
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:412
-
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:3580
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:3884
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5300
-
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:1780
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:1696
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:5092
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:2392
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5996
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:5988
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:4020
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5536
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:4204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:960
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:4656
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2404
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5468
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:6036
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:1076
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:2904
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:1388
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:3488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:3048
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5780
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:6088
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:1396
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:4412
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:4424
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:6080
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:2440
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:2088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:6048
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:3272
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:1828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2184
-
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:3968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1500
-
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:4324
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:2008
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:5364
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:5844
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:4232
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:2432
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:4596
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:5180
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:1736
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4900
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:3924
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:3460
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:5172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:6060
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:5020
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:5312
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5880
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1544
-
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:3048
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:4928
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:1596
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:3788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3780
-
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:6140
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:2752
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:5280
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3868
-
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:3288
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:5452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6068
-
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:2516
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:1756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4676
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:464
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:2732
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:3408
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:1380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:1700
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5080
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:1516
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4928
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:5964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5384
-
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:4864
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:2416
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6080
-
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:1688
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:5008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2096
-
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4808
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:3208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3204
-
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:1112
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .1⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe .2⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\yjdsjvtcsjblkkkm.exe*."3⤵PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:4048
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:772
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:4024
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:5044
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:5144
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:6140
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6004
-
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe .1⤵PID:3080
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\znkcwlmyrlgtvybgugd.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:5328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:2480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5812
-
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:5168
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4904
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c znkcwlmyrlgtvybgugd.exe1⤵PID:5152
-
C:\Windows\znkcwlmyrlgtvybgugd.exeznkcwlmyrlgtvybgugd.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3288
-
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe1⤵PID:2348
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5524
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:72
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:1920
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:2724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:5368
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4720
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5868
-
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe1⤵PID:2000
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4212
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\obxohvvgyrlxyacgte.exe*."3⤵PID:1396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe1⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4884
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:5244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:1076
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:1472
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:1740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:1892
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe .2⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\frmcuhgqhzsddefiu.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:5352
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe .1⤵PID:3820
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\yjdsjvtcsjblkkkm.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:1688
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:5292
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:3316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:3924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:3684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:1148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yjdsjvtcsjblkkkm.exe1⤵PID:5100
-
C:\Windows\yjdsjvtcsjblkkkm.exeyjdsjvtcsjblkkkm.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:3008
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:2952
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:4656
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe .2⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\obxohvvgyrlxyacgte.exe*."3⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:4636
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe .1⤵PID:1704
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe .2⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:5492
-
C:\Windows\brqkgxaojfcrvafmcqpfe.exebrqkgxaojfcrvafmcqpfe.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c frmcuhgqhzsddefiu.exe .1⤵PID:4212
-
C:\Windows\frmcuhgqhzsddefiu.exefrmcuhgqhzsddefiu.exe .2⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\frmcuhgqhzsddefiu.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exeC:\Users\Admin\AppData\Local\Temp\mbzsndfsmhdruycixkix.exe .2⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\mbzsndfsmhdruycixkix.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exeC:\Users\Admin\AppData\Local\Temp\yjdsjvtcsjblkkkm.exe2⤵PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:3312
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:1896
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:5960
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe .1⤵PID:3128
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe .2⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\mbzsndfsmhdruycixkix.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exeC:\Users\Admin\AppData\Local\Temp\obxohvvgyrlxyacgte.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exeC:\Users\Admin\AppData\Local\Temp\znkcwlmyrlgtvybgugd.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\znkcwlmyrlgtvybgugd.exe*."3⤵PID:248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe1⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exeC:\Users\Admin\AppData\Local\Temp\frmcuhgqhzsddefiu.exe2⤵PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exeC:\Users\Admin\AppData\Local\Temp\brqkgxaojfcrvafmcqpfe.exe .2⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\brqkgxaojfcrvafmcqpfe.exe*."3⤵PID:5352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbzsndfsmhdruycixkix.exe1⤵PID:2168
-
C:\Windows\mbzsndfsmhdruycixkix.exembzsndfsmhdruycixkix.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c obxohvvgyrlxyacgte.exe .1⤵PID:4084
-
C:\Windows\obxohvvgyrlxyacgte.exeobxohvvgyrlxyacgte.exe .2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqkgxaojfcrvafmcqpfe.exe1⤵PID:4228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:428
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD503934dc35f19b76bb4c1651b62eb36ec
SHA19efb1b84f0959f02f7b9964d4f7efcfb2ac5e7c1
SHA256e015e15c3409274039c5f34795cfb7642c55f1c03bece4a5a3f1ee1db8125a56
SHA51296e3fa948bdde3b006d31d7b7251f818b6aa9b904632fda8b878a3ec36b3f06e348bb00e34f7b99e37c0a7d8707cb598c16f2e46dc1e42ac54d8b3f06aa851c6
-
Filesize
280B
MD53475580dd8207bddc4c29347a62c5a8c
SHA12e29eab20d8de6a25c0b3fa013e3504e66f25647
SHA256f06d006323508aad27f7f42e6da65651e1e81622057fcf47a8c815bfd580414c
SHA5129df9b45d01bd09839cdd0ef66a266f0894e281de822ee566ee1ac122356a57010d238eac6ecb94c02a7e4cbc44be731022928e8e7359f20bb22df33184c31a54
-
Filesize
280B
MD585754770fb695d989ae69ea2860e23ea
SHA1e49330359d4b8307585e1fb628111a87367ce6fe
SHA25630c1f019aa4147e2aff5ff44ed822ba0b63ba7181b218007766c86a5ad970e4d
SHA5128cf717986dffd8c633ac825a0f4ef9485cadf49cb99419fa8692efb3f0e52451e66cd3082704b4f7a69bed20a191d18434786578cf924b7d8c5d215d2af75345
-
Filesize
280B
MD537ccf1b984c2bb2be4ebd3d5d267860f
SHA1fbf52dcd200feafa5e25b70349976044434e7bff
SHA256dc08d333d89165c2a1ca881538c88c1cbc7c25a0fff0dac7ea013feb87fb93c9
SHA5120cfc1aaaac4ffbc3efb66de5ad380fae669d581e604adf72426d83dce3326a5a34a46b4a568aa7600260fd36e93ae02f3320b10649a59ad64d163fb0208b4037
-
Filesize
280B
MD5163880ea36c614f61dc63b31caff2af6
SHA1568de0867f2365dd4072397981e1a27be9b7beab
SHA256cb1ade61a2a5732065a55594b1c66ade3e79074eb23a169450f73a0a9d190d29
SHA512b5d0fdca36da52ccb989968f3a112bd8edda3829a82d6f3505a979633859fd4923d414dbdb7dc59defa71b35fc134849343033e9a576c8d883148e87e47479e9
-
Filesize
320KB
MD5c4c0eacae76a12e21d0ee9e9cc4eb3d8
SHA1047ba8084fb1dc0cd3b2fcddbd620c106eba9e26
SHA256a4a5c3a7226c301017880b326b6b7b78d2001c0b27c0fce9ddbef6d6302415ba
SHA512d08970a86f282701cb99cfda8499c73c735dd37a471474853d213a926a1d74cdb12ded59c42710e17e7dedcd47ff09d368c6b5eb5726feb496a14c74bec09573
-
Filesize
740KB
MD5b1c1f6d849fca5b0679b0eb807530506
SHA1453eb6c69e8e45835471294b6f36c3442e9e2c44
SHA256e8345830f9ebea52f6e7379fc90191d9833d2cb8ab8140045b8b238edacf64a5
SHA512f719c0db22b94ad638bfb1105b574133b1b08d0a87f98afc410d18cfa7e5a39d8497283a92eb602d378dc4206f676722ec8e4baeb8b3534006f31cfd2d90de9d
-
Filesize
280B
MD55b1fd19a528f384c9ede270a6c9437cf
SHA1a7b673a5d0bce26e03b46bcd4f361eb40e656606
SHA25626aeec408c8dd273ac5320db47b9baf72fa605684e2cd050463fdb04c2563164
SHA512747717613d704a8c32c5bfb380cd2d9605c2dd6648d344eee8f0ee7590d583fcbab2090a28a2e7db74b458788d9c08f8f94382039fba48f55d462fa14e176b2d
-
Filesize
4KB
MD5dcd76049f738fb81c0a2d737f227d3e9
SHA1f812b76a6d236b120b0c95de058978190a80df72
SHA25632d78abcb32d43f7b056478e5a1a95e7ac4f5d77ddeac8de7ffca0e370749916
SHA512085f8efc53241fab8e172c2ac6be5ee3f7f53a35f899c3def1aee4913b4a5836fc5290cb6764042141085ecfd6760da1daf3d8ee4c88f595e98dd44c7767d89c
-
Filesize
1016KB
MD5b9c1a84350d1c4881dd1eac4ffb453b0
SHA1e2c094bbe105e9ced9c996c140f4fb1ae5f48585
SHA25619bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
SHA5124122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c