Analysis
-
max time kernel
60s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2025, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe
-
Size
640KB
-
MD5
bb7873a096a7ddd06706314a91eb4e66
-
SHA1
45bde370d8c23151d85e7c7e05cd26c05342d7bc
-
SHA256
451ba46bdd9d4d17e54a87482a117dfd99da75d4dc6d030cbceffb4885e7f507
-
SHA512
8af08029a8d90586aa634eab2a06b19a112bc6b2c21cc0ec1117ce89965c7209af4c452a3306394606a46f478cf7e1628ddfc732f5d3efae758e090436f68131
-
SSDEEP
12288:7IX6gtvm1De5YlOx6lzBH46U2yxeco7pQS/L7no2aT:7u81yMBbtyno7pQS/LBaT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe -
Pykspa family
-
UAC bypass 3 TTPs 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000600000002a6f3-4.dat family_pykspa behavioral2/files/0x001900000002b0c2-105.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "wympgbymkdftezhzyzkma.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "uughwpkwsjjvexdtqpy.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uughwpkwsjjvexdtqpy.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "uughwpkwsjjvexdtqpy.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nyvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uiixahq = "jitthztezpozhzetpn.exe" huthjp.exe -
Disables RegEdit via registry modification 29 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" huthjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" huthjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" huthjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe -
Executes dropped EXE 64 IoCs
pid Process 3632 vzaljrgxfjk.exe 4952 tqzxjzrathentjmz.exe 5056 ayihuleoixvfmdhvq.exe 5308 vzaljrgxfjk.exe 5016 tqzxjzrathentjmz.exe 4680 hivxnhdqnfgtdxevttde.exe 4600 wympgbymkdftezhzyzkma.exe 4228 vzaljrgxfjk.exe 5128 wympgbymkdftezhzyzkma.exe 5168 vzaljrgxfjk.exe 5100 tqzxjzrathentjmz.exe 4044 hivxnhdqnfgtdxevttde.exe 2972 vzaljrgxfjk.exe 332 huthjp.exe 4856 huthjp.exe 1080 ayihuleoixvfmdhvq.exe 3988 jitthztezpozhzetpn.exe 1800 ayihuleoixvfmdhvq.exe 1328 tqzxjzrathentjmz.exe 1552 vzaljrgxfjk.exe 4028 vzaljrgxfjk.exe 2760 jitthztezpozhzetpn.exe 2052 wympgbymkdftezhzyzkma.exe 5500 hivxnhdqnfgtdxevttde.exe 532 hivxnhdqnfgtdxevttde.exe 564 jitthztezpozhzetpn.exe 3400 uughwpkwsjjvexdtqpy.exe 6036 wympgbymkdftezhzyzkma.exe 5628 wympgbymkdftezhzyzkma.exe 2040 vzaljrgxfjk.exe 3600 vzaljrgxfjk.exe 2752 vzaljrgxfjk.exe 5028 vzaljrgxfjk.exe 4696 wympgbymkdftezhzyzkma.exe 4720 ayihuleoixvfmdhvq.exe 3768 ayihuleoixvfmdhvq.exe 932 tqzxjzrathentjmz.exe 5584 vzaljrgxfjk.exe 2916 uughwpkwsjjvexdtqpy.exe 4060 vzaljrgxfjk.exe 6124 uughwpkwsjjvexdtqpy.exe 4952 vzaljrgxfjk.exe 2368 wympgbymkdftezhzyzkma.exe 4472 jitthztezpozhzetpn.exe 4428 wympgbymkdftezhzyzkma.exe 5264 vzaljrgxfjk.exe 3396 ayihuleoixvfmdhvq.exe 3480 vzaljrgxfjk.exe 1916 hivxnhdqnfgtdxevttde.exe 3164 hivxnhdqnfgtdxevttde.exe 5476 vzaljrgxfjk.exe 2404 wympgbymkdftezhzyzkma.exe 4044 uughwpkwsjjvexdtqpy.exe 2936 jitthztezpozhzetpn.exe 936 jitthztezpozhzetpn.exe 3728 vzaljrgxfjk.exe 5348 wympgbymkdftezhzyzkma.exe 1520 ayihuleoixvfmdhvq.exe 1516 ayihuleoixvfmdhvq.exe 1980 hivxnhdqnfgtdxevttde.exe 4992 jitthztezpozhzetpn.exe 5612 vzaljrgxfjk.exe 3312 vzaljrgxfjk.exe 4576 vzaljrgxfjk.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager huthjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys huthjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc huthjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power huthjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys huthjp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc huthjp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "wympgbymkdftezhzyzkma.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "uughwpkwsjjvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "uughwpkwsjjvexdtqpy.exe ." huthjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "wympgbymkdftezhzyzkma.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" huthjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "ayihuleoixvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "ayihuleoixvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "hivxnhdqnfgtdxevttde.exe ." huthjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "hivxnhdqnfgtdxevttde.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "uughwpkwsjjvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uughwpkwsjjvexdtqpy.exe ." huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "tqzxjzrathentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "jitthztezpozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "wympgbymkdftezhzyzkma.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "jitthztezpozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "uughwpkwsjjvexdtqpy.exe" huthjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "ayihuleoixvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uughwpkwsjjvexdtqpy.exe ." huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "wympgbymkdftezhzyzkma.exe ." huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wigtu = "hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aqsjoxikw = "wympgbymkdftezhzyzkma.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe ." huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "wympgbymkdftezhzyzkma.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\huthjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hivxnhdqnfgtdxevttde.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jyzptblm = "hivxnhdqnfgtdxevttde.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe" huthjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jitthztezpozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wigtu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ayihuleoixvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogkdkvimajb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uughwpkwsjjvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tknflvhkxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqzxjzrathentjmz.exe ." vzaljrgxfjk.exe -
Checks whether UAC is enabled 1 TTPs 52 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA huthjp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" huthjp.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 www.whatismyip.ca 3 whatismyipaddress.com 3 whatismyip.everdot.org 1 whatismyip.everdot.org 1 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf huthjp.exe File created F:\autorun.inf huthjp.exe File opened for modification C:\autorun.inf huthjp.exe File created C:\autorun.inf huthjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File created C:\Windows\SysWOW64\wigtuzgempbzuzrtcniusfglsqy.nlg huthjp.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wigtuzgempbzuzrtcniusfglsqy.nlg huthjp.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe huthjp.exe File opened for modification C:\Windows\SysWOW64\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\wigtuzgempbzuzrtcniusfglsqy.nlg huthjp.exe File created C:\Program Files (x86)\wigtuzgempbzuzrtcniusfglsqy.nlg huthjp.exe File opened for modification C:\Program Files (x86)\tqzxjzrathentjmztpvsbzlbtcvjgpvlobvrxu.bnd huthjp.exe File created C:\Program Files (x86)\tqzxjzrathentjmztpvsbzlbtcvjgpvlobvrxu.bnd huthjp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe huthjp.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe huthjp.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe huthjp.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe huthjp.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe huthjp.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\uughwpkwsjjvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ayihuleoixvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hivxnhdqnfgtdxevttde.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tqzxjzrathentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wympgbymkdftezhzyzkma.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nqfjbxvkjdgvhdmffhtwlp.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jitthztezpozhzetpn.exe vzaljrgxfjk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huthjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wympgbymkdftezhzyzkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayihuleoixvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jitthztezpozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tqzxjzrathentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uughwpkwsjjvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hivxnhdqnfgtdxevttde.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 332 huthjp.exe 332 huthjp.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 332 huthjp.exe 332 huthjp.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 332 huthjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5900 wrote to memory of 3632 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 78 PID 5900 wrote to memory of 3632 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 78 PID 5900 wrote to memory of 3632 5900 JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe 78 PID 1256 wrote to memory of 4952 1256 cmd.exe 81 PID 1256 wrote to memory of 4952 1256 cmd.exe 81 PID 1256 wrote to memory of 4952 1256 cmd.exe 81 PID 5020 wrote to memory of 5056 5020 cmd.exe 84 PID 5020 wrote to memory of 5056 5020 cmd.exe 84 PID 5020 wrote to memory of 5056 5020 cmd.exe 84 PID 5056 wrote to memory of 5308 5056 ayihuleoixvfmdhvq.exe 87 PID 5056 wrote to memory of 5308 5056 ayihuleoixvfmdhvq.exe 87 PID 5056 wrote to memory of 5308 5056 ayihuleoixvfmdhvq.exe 87 PID 5040 wrote to memory of 5016 5040 cmd.exe 89 PID 5040 wrote to memory of 5016 5040 cmd.exe 89 PID 5040 wrote to memory of 5016 5040 cmd.exe 89 PID 716 wrote to memory of 4680 716 cmd.exe 91 PID 716 wrote to memory of 4680 716 cmd.exe 91 PID 716 wrote to memory of 4680 716 cmd.exe 91 PID 4000 wrote to memory of 4600 4000 cmd.exe 94 PID 4000 wrote to memory of 4600 4000 cmd.exe 94 PID 4000 wrote to memory of 4600 4000 cmd.exe 94 PID 4680 wrote to memory of 4228 4680 hivxnhdqnfgtdxevttde.exe 97 PID 4680 wrote to memory of 4228 4680 hivxnhdqnfgtdxevttde.exe 97 PID 4680 wrote to memory of 4228 4680 hivxnhdqnfgtdxevttde.exe 97 PID 1036 wrote to memory of 5128 1036 cmd.exe 98 PID 1036 wrote to memory of 5128 1036 cmd.exe 98 PID 1036 wrote to memory of 5128 1036 cmd.exe 98 PID 5128 wrote to memory of 5168 5128 wympgbymkdftezhzyzkma.exe 99 PID 5128 wrote to memory of 5168 5128 wympgbymkdftezhzyzkma.exe 99 PID 5128 wrote to memory of 5168 5128 wympgbymkdftezhzyzkma.exe 99 PID 5512 wrote to memory of 5100 5512 cmd.exe 102 PID 5512 wrote to memory of 5100 5512 cmd.exe 102 PID 5512 wrote to memory of 5100 5512 cmd.exe 102 PID 3060 wrote to memory of 4044 3060 cmd.exe 105 PID 3060 wrote to memory of 4044 3060 cmd.exe 105 PID 3060 wrote to memory of 4044 3060 cmd.exe 105 PID 4044 wrote to memory of 2972 4044 hivxnhdqnfgtdxevttde.exe 106 PID 4044 wrote to memory of 2972 4044 hivxnhdqnfgtdxevttde.exe 106 PID 4044 wrote to memory of 2972 4044 hivxnhdqnfgtdxevttde.exe 106 PID 3632 wrote to memory of 332 3632 vzaljrgxfjk.exe 107 PID 3632 wrote to memory of 332 3632 vzaljrgxfjk.exe 107 PID 3632 wrote to memory of 332 3632 vzaljrgxfjk.exe 107 PID 3632 wrote to memory of 4856 3632 vzaljrgxfjk.exe 108 PID 3632 wrote to memory of 4856 3632 vzaljrgxfjk.exe 108 PID 3632 wrote to memory of 4856 3632 vzaljrgxfjk.exe 108 PID 5876 wrote to memory of 3988 5876 cmd.exe 114 PID 5876 wrote to memory of 3988 5876 cmd.exe 114 PID 5876 wrote to memory of 3988 5876 cmd.exe 114 PID 3628 wrote to memory of 1080 3628 cmd.exe 113 PID 3628 wrote to memory of 1080 3628 cmd.exe 113 PID 3628 wrote to memory of 1080 3628 cmd.exe 113 PID 2236 wrote to memory of 1800 2236 cmd.exe 119 PID 2236 wrote to memory of 1800 2236 cmd.exe 119 PID 2236 wrote to memory of 1800 2236 cmd.exe 119 PID 4992 wrote to memory of 1328 4992 cmd.exe 120 PID 4992 wrote to memory of 1328 4992 cmd.exe 120 PID 4992 wrote to memory of 1328 4992 cmd.exe 120 PID 1328 wrote to memory of 1552 1328 tqzxjzrathentjmz.exe 125 PID 1328 wrote to memory of 1552 1328 tqzxjzrathentjmz.exe 125 PID 1328 wrote to memory of 1552 1328 tqzxjzrathentjmz.exe 125 PID 1800 wrote to memory of 4028 1800 ayihuleoixvfmdhvq.exe 126 PID 1800 wrote to memory of 4028 1800 ayihuleoixvfmdhvq.exe 126 PID 1800 wrote to memory of 4028 1800 ayihuleoixvfmdhvq.exe 126 PID 3412 wrote to memory of 2760 3412 cmd.exe 130 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System huthjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" huthjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" huthjp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb7873a096a7ddd06706314a91eb4e66.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bb7873a096a7ddd06706314a91eb4e66.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\huthjp.exe"C:\Users\Admin\AppData\Local\Temp\huthjp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bb7873a096a7ddd06706314a91eb4e66.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:332
-
-
C:\Users\Admin\AppData\Local\Temp\huthjp.exe"C:\Users\Admin\AppData\Local\Temp\huthjp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bb7873a096a7ddd06706314a91eb4e66.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵
- Executes dropped EXE
PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵
- Executes dropped EXE
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵
- Executes dropped EXE
PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5512 -
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Executes dropped EXE
PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵
- Executes dropped EXE
PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:2232
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:684
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
PID:532 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:5280
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵
- Executes dropped EXE
PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- Executes dropped EXE
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵
- Executes dropped EXE
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵
- Executes dropped EXE
PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:2524
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:4292
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵
- Executes dropped EXE
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:1100
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:3644
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵
- Executes dropped EXE
PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:2592
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:2464
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- Executes dropped EXE
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵
- Executes dropped EXE
PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:2996
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:3452
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:3684
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵
- Executes dropped EXE
PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1316
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2028
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- Executes dropped EXE
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵
- Executes dropped EXE
PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1948
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:2148
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:1224
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:1500
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:3860
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:3768
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:2332
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:2428
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:2404
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:4584
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4040
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:2316
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4880
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2148
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:3520
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:2640
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:1976
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:3892
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:4788
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:1932
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:4404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:4916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:2524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5696
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:908
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2380
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:3804
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5124
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:5224
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:5408
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:4248
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:808
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1516
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:4936
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1604
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:972
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:3328
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:4236
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:3856
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:4272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5620
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:5044
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:4032
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:5200
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:5876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:4840
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:5512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5408
-
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4076
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1080
-
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:656 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:5684
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:4156
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:1848
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:4572
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:1160
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:5280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:3856
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4272
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:1740
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:5124
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:5224
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:1528
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:5368
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4804
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:352
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:5072
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1968
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:5340
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5292
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:3332
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:5228
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:2276
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:2384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5692
-
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:2524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:5748
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:5804
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:4648
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:4932
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5832
-
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:4040
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:1520
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:3360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2588
-
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5448
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2464
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:852
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:1500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5960
-
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:5280
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:1440
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:2384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6036
-
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:588
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:2340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:2368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1776
-
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:1204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:5156
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:2676
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:5308
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:6104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5556
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4848
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2008
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4448
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:5704
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:5640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:1548
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:2408
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:6100
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:3568
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:932
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4352
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:2384
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:5140
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:2060
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:3256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1708
-
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:1956
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:3856
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:5200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:1912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2744
-
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:4040
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:3744
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:3180
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:3056
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:3204
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4628
-
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:6116
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:2464
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:464
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5488
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:3916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:2536
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5240
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2244
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:716
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:4704
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5184
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:2812
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:5336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:936
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:3140
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:3448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5496
-
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:4620
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:4532
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:6052
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:3940
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe1⤵PID:1396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:640
-
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5488
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:5580
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5392
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:5004
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:2256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5240
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4492
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:2356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:716
-
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4740
-
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:8
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:3324
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe1⤵PID:4704
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:4872
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5260
-
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:2972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:1340
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:1520
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1052
-
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:1224
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tqzxjzrathentjmz.exe*."3⤵PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:2996
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:2520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:4464
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:2748
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:5620
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:2460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:2248
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:3644
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:1140
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:784
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe .2⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jitthztezpozhzetpn.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:5704
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:6004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5328
-
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:5292
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe .1⤵PID:5608
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe .2⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wympgbymkdftezhzyzkma.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:1660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:3940
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:32
-
C:\Windows\jitthztezpozhzetpn.exejitthztezpozhzetpn.exe .2⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jitthztezpozhzetpn.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe1⤵PID:3176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2824
-
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:4560
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe1⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .2⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ayihuleoixvfmdhvq.exe*."3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:4820
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:5628
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:1740
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:3876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe1⤵PID:2672
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ayihuleoixvfmdhvq.exe .1⤵PID:5492
-
C:\Windows\ayihuleoixvfmdhvq.exeayihuleoixvfmdhvq.exe .2⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ayihuleoixvfmdhvq.exe*."3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:1100
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:4624
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\uughwpkwsjjvexdtqpy.exe*."3⤵PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:1976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2848
-
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wympgbymkdftezhzyzkma.exe1⤵PID:4588
-
C:\Windows\wympgbymkdftezhzyzkma.exewympgbymkdftezhzyzkma.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe .1⤵PID:4008
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\uughwpkwsjjvexdtqpy.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .1⤵PID:656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5868
-
-
C:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exeC:\Users\Admin\AppData\Local\Temp\wympgbymkdftezhzyzkma.exe .2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wympgbymkdftezhzyzkma.exe*."3⤵PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:4080
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:848
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uughwpkwsjjvexdtqpy.exe1⤵PID:5608
-
C:\Windows\uughwpkwsjjvexdtqpy.exeuughwpkwsjjvexdtqpy.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hivxnhdqnfgtdxevttde.exe .1⤵PID:3704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5568
-
-
C:\Windows\hivxnhdqnfgtdxevttde.exehivxnhdqnfgtdxevttde.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hivxnhdqnfgtdxevttde.exe*."3⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe .1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4452
-
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe .2⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tqzxjzrathentjmz.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exeC:\Users\Admin\AppData\Local\Temp\tqzxjzrathentjmz.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe1⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jitthztezpozhzetpn.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exeC:\Users\Admin\AppData\Local\Temp\hivxnhdqnfgtdxevttde.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hivxnhdqnfgtdxevttde.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tqzxjzrathentjmz.exe1⤵PID:3760
-
C:\Windows\tqzxjzrathentjmz.exetqzxjzrathentjmz.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:2232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe1⤵PID:4392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5576
-
-
C:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\uughwpkwsjjvexdtqpy.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jitthztezpozhzetpn.exe .1⤵PID:2532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:5140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ayihuleoixvfmdhvq.exe .1⤵PID:1524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:464
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD502edf6210a1594c73b4d9a9c686e63e6
SHA1a9ca54144785f611504546044aa2e65a10bb5af7
SHA256cc56a714231b5fcbfd5c07c1e193d15e2a62801091a311713c550b5c470cd9c4
SHA512f389d5db4c82d0cf796eeead92c7bbedb45dbfbf7219b29a70d3b9435f4c88065e9a7456ca1a7db86496e5a0b7cebffc9f7f171a2f2e7200605292e456adcb6c
-
Filesize
280B
MD5832102acdb4f92efbacb0a3977b64a8f
SHA17cc556e34640c432fa8a86f5e228189bbbbe4a8d
SHA256a58ebe11f08e10fd9a3bed5269124b688adfbb2267e08b51fc166f0083f9c03e
SHA5128c0174ec883c8c9ea4bd6b621c2e6732d7ac83f409a22a477837a86e9bd8ffa74e6a6f37237655b4e9fe2f1847f402b0301ebc0b5e4e087c199e134579313667
-
Filesize
280B
MD5043227db03b967bb68e22cedc0c3d404
SHA1301bb7bd55d8a3f621a9807f50699f82e27c74bb
SHA256f9f307060407f67b5be0235b10d307961b68788f1e8a945307eb47f595f7bb64
SHA51223074cdb8da85a9881df3766264e3b47a0bd178108ec4f4398aa2527a94c59ed3a71f75ab5e1e19d10c3f0baa223da8bc29e6a0c6f4c6865bd1be23a72f5151b
-
Filesize
280B
MD588d2c503d2434437a36bf54240e1dbd6
SHA1f22d2c77591cac4214a702ca41c9ee506ace6365
SHA25697d0f8d01b842bbdcbdf47006dd105f6d4940b67d93aa3551cade69198c95af7
SHA512dea08487bfadd08a1c0fd9294260bf697729fe8d28689b5c3feedf724fd7b60da133c01ef64aaf1a26feec373cc33cc4afb11e1420a53c5760110ba2d5ff0bf5
-
Filesize
280B
MD5fa81a8afa7d64e3d95687ef4fece9f98
SHA19ae81db42f4e05a7c1f448c44298a68bd16d14eb
SHA256a2cc2286d1a3841ba48cad48060849fd1d84176154fe1f0e6d64b29c26d50af7
SHA512173ee233397b1f06e79dc4f9d5bdf3d5333712f75f68925fe7be7f44d0c0fa7276e13c11229770759de0573b2f07b35ceffbfb912995dc0e7a49c7b10656da61
-
Filesize
712KB
MD5ee6a9bf3087971bf55b5dfc7a09cb21b
SHA1505e435a412e2aaad91520b4d57e7094d1d8dcd8
SHA25675a14b8857e63fcbcc336701b729065f3f2e90410ec4b23403daf3b841ea355e
SHA512dea3757210f0d364844f66492c787c3564886b3fe534a6fe72400b77e2c49874701f84bdfd43831521cd42ab6ec9ea89f3be073b251e03010312e40ae1825331
-
Filesize
320KB
MD5ed03843d368f0412deba722b41e7fe49
SHA1249ca2dd1490cac8e488e80cbb576a4268dd46f6
SHA25663ba6674c4620464eada56a6a89802de975ea52e90d00905beffc60b874e256b
SHA5125aca5382eb4c9f536d73a6aede989e89223a2f14224ad220aa17af4ec28cfe21c780254de54a01c439dd261cdee639635e83010e007e2a26224c5de946656632
-
Filesize
4KB
MD574102bf20757178eb42a61ad8afc3f4a
SHA1ea92207cb4b4f890e2d2d038bf16da1efeb6d5cf
SHA25624fa2639b9ff2011c989321d310c704dd8e71f53e7798e99145477f4b637c01e
SHA51282c245ddc85d4e1a2e9602b6de861a874011616ad23426c2493c2dfdb26667716c521849ee2cd4e4e2b4d49195109e9869921d1b4ff34071e89c31b8a912653b
-
Filesize
280B
MD55bd4ff55e720ab1e1773ade24cc1d732
SHA138b57f26da58c7ec5770d72ec278b9f013e67b4c
SHA2565c62a1b9f201207fc254cdcca7b66ad7256e8ba5401eaeef959f8eb16cb61955
SHA51224bbddaae63e68df7f1e7439ea0487ab7dd2aaeeb404af2c51483b3dfea186199088ffffc5c626d68889e60b3a2252aa4187a87e462be7ab3db42c4169807fc2
-
Filesize
640KB
MD5bb7873a096a7ddd06706314a91eb4e66
SHA145bde370d8c23151d85e7c7e05cd26c05342d7bc
SHA256451ba46bdd9d4d17e54a87482a117dfd99da75d4dc6d030cbceffb4885e7f507
SHA5128af08029a8d90586aa634eab2a06b19a112bc6b2c21cc0ec1117ce89965c7209af4c452a3306394606a46f478cf7e1628ddfc732f5d3efae758e090436f68131