Analysis
-
max time kernel
40s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2025, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
-
Size
596KB
-
MD5
bad3aa8bfd42552d828c35c8202f43f6
-
SHA1
8e4baedd28bfa1b0cad3643a3dee24449a0a1df9
-
SHA256
395f67fccccbea1c99cb243f2ff7994bfc211a19b3e3b583be219265b060d828
-
SHA512
ec58caa9b81e0f590f38b2592fab525b2f1efd3ab7fe89009dfc6bf8cf35c713d487f2ae9038175545261e3071901ec82699e302b07159de0543727c8a430421
-
SSDEEP
6144:1IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUBoIgw4aRpgv6:1IXsgtvm1De5YlOx6lzBH46UBoFS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe -
Pykspa family
-
UAC bypass 3 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000600000002a6f3-4.dat family_pykspa behavioral2/files/0x001900000002b0fe-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "dvokbyxmqeftezhzyzrjc.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnphytuldftezhzyzqfb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "qfvocwsefqozhzetpn.exe" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "qfvocwsefqozhzetpn.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zjaxkwmiuhentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nnuhkm = "grjhvizwjxvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "bricrmjwykjvexdtqpf.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nnuhkm = "anhhxmfetjjvexdtqpe.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "ofxsiecqtggtdxevttkb.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "dvokbyxmqeftezhzyzrjc.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdpeoewebicjnb = "hvkcpidooyvfmdhvq.exe" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmyfshmgkb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe -
Executes dropped EXE 64 IoCs
pid Process 4664 vzaljrgxfjk.exe 2760 hvkcpidooyvfmdhvq.exe 4824 ofxsiecqtggtdxevttkb.exe 5068 vzaljrgxfjk.exe 2660 anbsewqazientjmz.exe 4484 hvkcpidooyvfmdhvq.exe 5052 vzaljrgxfjk.exe 3028 ofxsiecqtggtdxevttkb.exe 3972 ofxsiecqtggtdxevttkb.exe 4020 vzaljrgxfjk.exe 2620 dvokbyxmqeftezhzyzrjc.exe 5736 hvkcpidooyvfmdhvq.exe 4768 vzaljrgxfjk.exe 5304 dfiop.exe 2072 dfiop.exe 2604 dvokbyxmqeftezhzyzrjc.exe 3452 dvokbyxmqeftezhzyzrjc.exe 4740 bricrmjwykjvexdtqpf.exe 1228 anbsewqazientjmz.exe 1936 vzaljrgxfjk.exe 5848 vzaljrgxfjk.exe 2784 dvokbyxmqeftezhzyzrjc.exe 864 ofxsiecqtggtdxevttkb.exe 5220 dvokbyxmqeftezhzyzrjc.exe 3260 hvkcpidooyvfmdhvq.exe 1484 qfvocwsefqozhzetpn.exe 4760 hvkcpidooyvfmdhvq.exe 3956 vzaljrgxfjk.exe 3568 bricrmjwykjvexdtqpf.exe 3052 ofxsiecqtggtdxevttkb.exe 1464 vzaljrgxfjk.exe 6024 ofxsiecqtggtdxevttkb.exe 5828 vzaljrgxfjk.exe 2640 qfvocwsefqozhzetpn.exe 1804 vzaljrgxfjk.exe 4656 ofxsiecqtggtdxevttkb.exe 788 bricrmjwykjvexdtqpf.exe 5160 vzaljrgxfjk.exe 5856 vzaljrgxfjk.exe 5708 anbsewqazientjmz.exe 5312 anbsewqazientjmz.exe 5316 vzaljrgxfjk.exe 2296 qfvocwsefqozhzetpn.exe 4464 hvkcpidooyvfmdhvq.exe 3580 bricrmjwykjvexdtqpf.exe 5448 vzaljrgxfjk.exe 3784 bricrmjwykjvexdtqpf.exe 3272 vzaljrgxfjk.exe 3268 vzaljrgxfjk.exe 2244 vzaljrgxfjk.exe 2240 hvkcpidooyvfmdhvq.exe 1068 ofxsiecqtggtdxevttkb.exe 5360 vzaljrgxfjk.exe 2604 vzaljrgxfjk.exe 3188 vzaljrgxfjk.exe 3192 dvokbyxmqeftezhzyzrjc.exe 2700 anbsewqazientjmz.exe 3988 vzaljrgxfjk.exe 3220 qfvocwsefqozhzetpn.exe 1212 qfvocwsefqozhzetpn.exe 1112 anbsewqazientjmz.exe 5624 hvkcpidooyvfmdhvq.exe 3064 vzaljrgxfjk.exe 1948 hvkcpidooyvfmdhvq.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dfiop.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dfiop.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dfiop.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dfiop.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dfiop.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dfiop.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "anbsewqazientjmz.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "ofxsiecqtggtdxevttkb.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe ." dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "hvkcpidooyvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "dvokbyxmqeftezhzyzrjc.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe ." dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe ." dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "anbsewqazientjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "bricrmjwykjvexdtqpf.exe ." dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cbhtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbwxoeyyofgtdxevttjx.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "qfvocwsefqozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "qfvocwsefqozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "dvokbyxmqeftezhzyzrjc.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe ." dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "anbsewqazientjmz.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\trwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnphytuldftezhzyzqfb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvokbyxmqeftezhzyzrjc.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "bricrmjwykjvexdtqpf.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "dvokbyxmqeftezhzyzrjc.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "hvkcpidooyvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "dvokbyxmqeftezhzyzrjc.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe" dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "anbsewqazientjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anbsewqazientjmz.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." dfiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "hvkcpidooyvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "bricrmjwykjvexdtqpf.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trwh = "anhhxmfetjjvexdtqpe.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "dvokbyxmqeftezhzyzrjc.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvkcpidooyvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "bricrmjwykjvexdtqpf.exe ." dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\vhukvmfomupxcrt = "qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "anbsewqazientjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\anbsewqazientjmz = "hvkcpidooyvfmdhvq.exe ." dfiop.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sblygukqlqin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bricrmjwykjvexdtqpf.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfvocwsefqozhzetpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfvocwsefqozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbmajypwsyrxa = "ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvkcpidooyvfmdhvq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofxsiecqtggtdxevttkb.exe ." vzaljrgxfjk.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfiop.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyipaddress.com 3 whatismyip.everdot.org 1 www.showmyipaddress.com 1 whatismyip.everdot.org 1 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File created C:\Windows\SysWOW64\vhukvmfomupxcrtfytfreufwpywezhmbdpidp.oep dfiop.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\anbsewqazientjmz.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe dfiop.exe File opened for modification C:\Windows\SysWOW64\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\vhukvmfomupxcrtfytfreufwpywezhmbdpidp.oep dfiop.exe File opened for modification C:\Windows\SysWOW64\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\uvxcciqobyifzduvdnoprwwcki.scz dfiop.exe File created C:\Program Files (x86)\uvxcciqobyifzduvdnoprwwcki.scz dfiop.exe File opened for modification C:\Program Files (x86)\vhukvmfomupxcrtfytfreufwpywezhmbdpidp.oep dfiop.exe File created C:\Program Files (x86)\vhukvmfomupxcrtfytfreufwpywezhmbdpidp.oep dfiop.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\anbsewqazientjmz.exe dfiop.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe dfiop.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe dfiop.exe File created C:\Windows\uvxcciqobyifzduvdnoprwwcki.scz dfiop.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe dfiop.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe dfiop.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe dfiop.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe dfiop.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vhukvmfomupxcrtfytfreufwpywezhmbdpidp.oep dfiop.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\unhewuukpegvhdmffhatnk.exe dfiop.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bricrmjwykjvexdtqpf.exe vzaljrgxfjk.exe File opened for modification C:\Windows\anbsewqazientjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\qfvocwsefqozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ofxsiecqtggtdxevttkb.exe vzaljrgxfjk.exe File opened for modification C:\Windows\dvokbyxmqeftezhzyzrjc.exe vzaljrgxfjk.exe File opened for modification C:\Windows\hvkcpidooyvfmdhvq.exe vzaljrgxfjk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbwxoeyyofgtdxevttjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfvocwsefqozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbutiwomapozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfvocwsefqozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbutiwomapozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zjaxkwmiuhentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crnphytuldftezhzyzqfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bricrmjwykjvexdtqpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crnphytuldftezhzyzqfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grjhvizwjxvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfvocwsefqozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zjaxkwmiuhentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfvocwsefqozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofxsiecqtggtdxevttkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvokbyxmqeftezhzyzrjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvkcpidooyvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qfvocwsefqozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anhhxmfetjjvexdtqpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language anbsewqazientjmz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 5304 dfiop.exe 5304 dfiop.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 5304 dfiop.exe 5304 dfiop.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5304 dfiop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4700 wrote to memory of 4664 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 78 PID 4700 wrote to memory of 4664 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 78 PID 4700 wrote to memory of 4664 4700 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 78 PID 1544 wrote to memory of 2760 1544 cmd.exe 81 PID 1544 wrote to memory of 2760 1544 cmd.exe 81 PID 1544 wrote to memory of 2760 1544 cmd.exe 81 PID 4804 wrote to memory of 4824 4804 cmd.exe 84 PID 4804 wrote to memory of 4824 4804 cmd.exe 84 PID 4804 wrote to memory of 4824 4804 cmd.exe 84 PID 4824 wrote to memory of 5068 4824 ofxsiecqtggtdxevttkb.exe 85 PID 4824 wrote to memory of 5068 4824 ofxsiecqtggtdxevttkb.exe 85 PID 4824 wrote to memory of 5068 4824 ofxsiecqtggtdxevttkb.exe 85 PID 4368 wrote to memory of 2660 4368 cmd.exe 90 PID 4368 wrote to memory of 2660 4368 cmd.exe 90 PID 4368 wrote to memory of 2660 4368 cmd.exe 90 PID 5016 wrote to memory of 4484 5016 cmd.exe 91 PID 5016 wrote to memory of 4484 5016 cmd.exe 91 PID 5016 wrote to memory of 4484 5016 cmd.exe 91 PID 4484 wrote to memory of 5052 4484 hvkcpidooyvfmdhvq.exe 94 PID 4484 wrote to memory of 5052 4484 hvkcpidooyvfmdhvq.exe 94 PID 4484 wrote to memory of 5052 4484 hvkcpidooyvfmdhvq.exe 94 PID 4396 wrote to memory of 3028 4396 cmd.exe 97 PID 4396 wrote to memory of 3028 4396 cmd.exe 97 PID 4396 wrote to memory of 3028 4396 cmd.exe 97 PID 716 wrote to memory of 3972 716 cmd.exe 98 PID 716 wrote to memory of 3972 716 cmd.exe 98 PID 716 wrote to memory of 3972 716 cmd.exe 98 PID 3972 wrote to memory of 4020 3972 ofxsiecqtggtdxevttkb.exe 99 PID 3972 wrote to memory of 4020 3972 ofxsiecqtggtdxevttkb.exe 99 PID 3972 wrote to memory of 4020 3972 ofxsiecqtggtdxevttkb.exe 99 PID 3396 wrote to memory of 2620 3396 cmd.exe 102 PID 3396 wrote to memory of 2620 3396 cmd.exe 102 PID 3396 wrote to memory of 2620 3396 cmd.exe 102 PID 4596 wrote to memory of 5736 4596 cmd.exe 105 PID 4596 wrote to memory of 5736 4596 cmd.exe 105 PID 4596 wrote to memory of 5736 4596 cmd.exe 105 PID 5736 wrote to memory of 4768 5736 hvkcpidooyvfmdhvq.exe 106 PID 5736 wrote to memory of 4768 5736 hvkcpidooyvfmdhvq.exe 106 PID 5736 wrote to memory of 4768 5736 hvkcpidooyvfmdhvq.exe 106 PID 4664 wrote to memory of 5304 4664 vzaljrgxfjk.exe 107 PID 4664 wrote to memory of 5304 4664 vzaljrgxfjk.exe 107 PID 4664 wrote to memory of 5304 4664 vzaljrgxfjk.exe 107 PID 4664 wrote to memory of 2072 4664 vzaljrgxfjk.exe 108 PID 4664 wrote to memory of 2072 4664 vzaljrgxfjk.exe 108 PID 4664 wrote to memory of 2072 4664 vzaljrgxfjk.exe 108 PID 224 wrote to memory of 2604 224 cmd.exe 216 PID 224 wrote to memory of 2604 224 cmd.exe 216 PID 224 wrote to memory of 2604 224 cmd.exe 216 PID 5716 wrote to memory of 3452 5716 cmd.exe 335 PID 5716 wrote to memory of 3452 5716 cmd.exe 335 PID 5716 wrote to memory of 3452 5716 cmd.exe 335 PID 5896 wrote to memory of 4740 5896 cmd.exe 117 PID 5896 wrote to memory of 4740 5896 cmd.exe 117 PID 5896 wrote to memory of 4740 5896 cmd.exe 117 PID 1356 wrote to memory of 1228 1356 cmd.exe 120 PID 1356 wrote to memory of 1228 1356 cmd.exe 120 PID 1356 wrote to memory of 1228 1356 cmd.exe 120 PID 4740 wrote to memory of 1936 4740 bricrmjwykjvexdtqpf.exe 333 PID 4740 wrote to memory of 1936 4740 bricrmjwykjvexdtqpf.exe 333 PID 4740 wrote to memory of 1936 4740 bricrmjwykjvexdtqpf.exe 333 PID 1228 wrote to memory of 5848 1228 anbsewqazientjmz.exe 227 PID 1228 wrote to memory of 5848 1228 anbsewqazientjmz.exe 227 PID 1228 wrote to memory of 5848 1228 anbsewqazientjmz.exe 227 PID 3884 wrote to memory of 2784 3884 cmd.exe 129 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfiop.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bad3aa8bfd42552d828c35c8202f43f6.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\dfiop.exe"C:\Users\Admin\AppData\Local\Temp\dfiop.exe" "-C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5304
-
-
C:\Users\Admin\AppData\Local\Temp\dfiop.exe"C:\Users\Admin\AppData\Local\Temp\dfiop.exe" "-C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵
- Executes dropped EXE
PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Executes dropped EXE
PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5736 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5716 -
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5896 -
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵
- Executes dropped EXE
PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵
- Executes dropped EXE
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1388
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵
- Executes dropped EXE
PID:864 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵
- Executes dropped EXE
PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:656
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:772
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- Executes dropped EXE
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵
- Executes dropped EXE
PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵
- Executes dropped EXE
PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Executes dropped EXE
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵
- Executes dropped EXE
PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵
- Executes dropped EXE
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System policy modification
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5948
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3200
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5708
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5736
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5848
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:6000
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5420
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3216
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3688
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:716
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe"4⤵PID:2600
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵
- Executes dropped EXE
PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵
- Executes dropped EXE
PID:788 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵
- Executes dropped EXE
PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:1428
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵
- Executes dropped EXE
PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:4884
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- Executes dropped EXE
PID:5312 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵
- Executes dropped EXE
PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:4376
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zjaxkwmiuhentjmz.exe1⤵PID:4796
-
C:\Windows\zjaxkwmiuhentjmz.exezjaxkwmiuhentjmz.exe2⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:4944
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵
- Executes dropped EXE
PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe .1⤵PID:4928
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\crnphytuldftezhzyzqfb.exe*."3⤵
- Executes dropped EXE
PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵
- Executes dropped EXE
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵
- Executes dropped EXE
PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:6000
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbutiwomapozhzetpn.exe .1⤵PID:3972
-
C:\Windows\pbutiwomapozhzetpn.exepbutiwomapozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\pbutiwomapozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵
- Executes dropped EXE
PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵
- System Location Discovery: System Language Discovery
PID:3080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- Executes dropped EXE
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Executes dropped EXE
PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe .1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exeC:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe .2⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\crnphytuldftezhzyzqfb.exe*."3⤵
- Executes dropped EXE
PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .2⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\nbwxoeyyofgtdxevttjx.exe*."3⤵
- Executes dropped EXE
PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:1556
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵
- Executes dropped EXE
PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:5752
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵
- Executes dropped EXE
PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:5848
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:4016
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:5012
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- Executes dropped EXE
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵
- Executes dropped EXE
PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:2696
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵
- Executes dropped EXE
PID:1948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵
- Executes dropped EXE
PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:748
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:552
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:2340
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:5776
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:5928
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:1596
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5316
-
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:4964
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:3028
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:2168
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:3916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:1568
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:1524
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbutiwomapozhzetpn.exe .1⤵PID:5588
-
C:\Windows\pbutiwomapozhzetpn.exepbutiwomapozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\pbutiwomapozhzetpn.exe*."3⤵PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe1⤵PID:6116
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe .1⤵PID:1220
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anhhxmfetjjvexdtqpe.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe1⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe2⤵
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\pbutiwomapozhzetpn.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exeC:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe2⤵PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:484
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:3752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .1⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\zjaxkwmiuhentjmz.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:1128
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2296
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:748
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2108
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:3664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4956
-
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:4640
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:3968
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:5520
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:800
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:2604
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:3628
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:1000
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:760
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:1484
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:5208
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:2380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5828
-
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:748
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:4648
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:3608
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:3276
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:4944
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:3424
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:4292
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:5080
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:3268
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:3396
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:248 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:4712
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:3980
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3192
-
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:5736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2212
-
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:2132
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:652
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5624
-
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:3480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3752
-
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:6040
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:5484
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:5628
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:5176
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe1⤵PID:912
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe .1⤵PID:1620
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\crnphytuldftezhzyzqfb.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe1⤵PID:4024
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe2⤵
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:2620
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\grjhvizwjxvfmdhvq.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe2⤵PID:1792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .2⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\pbutiwomapozhzetpn.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:5716
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .1⤵PID:3200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .2⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\zjaxkwmiuhentjmz.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1820
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2160
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:6092
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:2536
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:2232
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:424
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1760
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:4828
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:832
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:532
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:4928
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:1768
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:2708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2928
-
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2524
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:4712
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:3448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:2152
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:3884
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:1052
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:1756
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:4976
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:4384
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:4244
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:6000
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:5100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5240
-
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:1064
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:4584
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:2772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6016
-
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:4732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4024
-
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:556
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:5080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3456
-
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1660
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:3936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:380
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:5216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5664
-
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2760
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:5944
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbutiwomapozhzetpn.exe1⤵PID:1928
-
C:\Windows\pbutiwomapozhzetpn.exepbutiwomapozhzetpn.exe2⤵PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zjaxkwmiuhentjmz.exe .1⤵PID:4764
-
C:\Windows\zjaxkwmiuhentjmz.exezjaxkwmiuhentjmz.exe .2⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\zjaxkwmiuhentjmz.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe1⤵PID:2548
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbutiwomapozhzetpn.exe .1⤵PID:5176
-
C:\Windows\pbutiwomapozhzetpn.exepbutiwomapozhzetpn.exe .2⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\pbutiwomapozhzetpn.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe .1⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exeC:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anhhxmfetjjvexdtqpe.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:716
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe1⤵PID:4840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exeC:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:5636
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .2⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\nbwxoeyyofgtdxevttjx.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:336
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:1444
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:3136
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:4240
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:5864
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:704
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:1304
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:2384
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:772
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:3760
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:5004
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:4428
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:716
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:2432
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:1012
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:4540
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:436
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:4920
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:3644
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:4960
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:5412
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:2156
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:4164
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:3244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:728
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:3564
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:2436
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:3392
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:4560
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:5040
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:884
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:1076
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe .1⤵PID:5228
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe .2⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:400
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:5684
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:3824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe1⤵PID:1228
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe .1⤵PID:3016
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe .2⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\crnphytuldftezhzyzqfb.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:4720
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:6044
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\grjhvizwjxvfmdhvq.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:3912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5976
-
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .2⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\zjaxkwmiuhentjmz.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:4468
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:644
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe2⤵PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:3216
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .1⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .2⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\pbutiwomapozhzetpn.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe2⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exeC:\Users\Admin\AppData\Local\Temp\bricrmjwykjvexdtqpf.exe .2⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bricrmjwykjvexdtqpf.exe*."3⤵PID:680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dvokbyxmqeftezhzyzrjc.exe1⤵PID:5420
-
C:\Windows\dvokbyxmqeftezhzyzrjc.exedvokbyxmqeftezhzyzrjc.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:4076
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:4020
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:484
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5140
-
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe1⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:1308
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1724
-
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe .2⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bricrmjwykjvexdtqpf.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:4816
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1356
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exeC:\Users\Admin\AppData\Local\Temp\ofxsiecqtggtdxevttkb.exe .2⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ofxsiecqtggtdxevttkb.exe*."3⤵PID:4040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .1⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\qfvocwsefqozhzetpn.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\qfvocwsefqozhzetpn.exe*."3⤵PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:4476
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:2232
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anbsewqazientjmz.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:1704
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:5548
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anbsewqazientjmz.exe*."3⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe1⤵PID:1064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2240
-
-
C:\Windows\bricrmjwykjvexdtqpf.exebricrmjwykjvexdtqpf.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:5220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3992
-
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:3892
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:2020
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .1⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exeC:\Users\Admin\AppData\Local\Temp\dvokbyxmqeftezhzyzrjc.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\dvokbyxmqeftezhzyzrjc.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:5532
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:3136
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:2652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3916
-
-
C:\Windows\anbsewqazientjmz.exeanbsewqazientjmz.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe .1⤵PID:1212
-
C:\Windows\ofxsiecqtggtdxevttkb.exeofxsiecqtggtdxevttkb.exe .2⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ofxsiecqtggtdxevttkb.exe*."3⤵PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exeC:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\hvkcpidooyvfmdhvq.exe .2⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\hvkcpidooyvfmdhvq.exe*."3⤵PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:3428
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe1⤵PID:3820
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe .1⤵PID:5688
-
C:\Windows\qfvocwsefqozhzetpn.exeqfvocwsefqozhzetpn.exe .2⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\qfvocwsefqozhzetpn.exe*."3⤵PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hvkcpidooyvfmdhvq.exe .1⤵PID:2340
-
C:\Windows\hvkcpidooyvfmdhvq.exehvkcpidooyvfmdhvq.exe .2⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\hvkcpidooyvfmdhvq.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe1⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ofxsiecqtggtdxevttkb.exe1⤵PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anbsewqazientjmz.exe .1⤵PID:4968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bricrmjwykjvexdtqpf.exe .1⤵PID:2144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qfvocwsefqozhzetpn.exe1⤵PID:3984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anbsewqazientjmz.exe1⤵PID:4488
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD521b98af547a1ae70e56ff4e16e6921d2
SHA1d305447748e62921cbb73089ba2b250a03b3d141
SHA2563a95ac2d0be65966588c0ff27a6628a6c7777d8b2233cf8a49adda66d2ef4977
SHA5125edcd47a8a7a65df04f4683a1448946a495f2b0fbb37b5a6c1b3a4f892db55093a35f84ea70bce95dfc73846c28104bf7e2c4982b87f0e4ca0d3dbc8d65f61cb
-
Filesize
280B
MD5a653210de949aafba5c091bccc054690
SHA1c17db139ca9d4de68f41b7047c8cc826b399a28c
SHA25675f89fd6a1e312b54e0bc6f151e145f061029a39e51c147abac9753570d06983
SHA512b09d4125a8852b696585d8fb73e0d7f55e17fc65e058eb0235016cf581bb7e7a17ab8f91815f3a3bce3ad436ae2e10cea64e64382b3e724d1fe1d19fbc09ef9c
-
Filesize
280B
MD58b5eb976ea650e77765eddde0625893c
SHA19cf6cee48b22679a390ebee196b57a0a57c39d36
SHA256bcd1f9fdfb365f86e0ef7dae33747219903865441e6bee4442d84dfedb130770
SHA512621ecc2f2e36f688f7bbad0d4a7420ba7c2fc026647061e39fea1ed7a92fd6d227558706b55f34ed3c24cf75391e2d929e22f6e558ac33ec6bd8cf37771fe37a
-
Filesize
280B
MD575ad5867a995a77f89ca7b21da6cab34
SHA133593754bf74fccad326d70edbf1ec4a8f2aaeb0
SHA2569c4b0d833451f431855a3282e273a7f4cfba77d02e10399edb8ce76c4fbdc02b
SHA512085376350842d05c1e48d7fae223fa7b28cef4ad1d04a48648f3dd95d4f27d5758981b29185419f43f3e903ff8aa1292a0e934875bae96a18057cd387c3fc9a1
-
Filesize
280B
MD57b8769f6309bae52e3516b9cdfa62cdd
SHA1cc1a120640f4d360156b83919e593e4a6435c218
SHA256545a5aed356083c7d57934b1a7aa152ffc9e26c32fc97f36684905a98d7f7a69
SHA51262fe62a0a29af33566ee1d989b5ee4c237f3ed83f66b0aa0e60128ff7c73df8d242d7054b2e93aeeb6cad94040a5883aa1b80466a41c9f9ab0beed64bbfd9edc
-
Filesize
280B
MD5b6c4afbbed88bf6673d74e159a4c1e15
SHA1b86c117cc6540ebc33c79ea810024ea9bddb9186
SHA256936b126f487ec26a7944aed7fb6f117e565631a47e80af9f4a9b824c7815e381
SHA51295e3f1da51d7f07fe2d422c99fa60be6382a5f3a45123b675b60e0de767f0dc3246e410e930d9a4790c5693a62bd0c623570bd8cd6880cdf38b3986cb801436f
-
Filesize
700KB
MD5315eda4cc67b7bf0cb8c0dfa1229f695
SHA1268eb60b65fcfc3d27f81696fd75fd0f6ad61a1f
SHA25649c05ff46b757ca5d32462a5812b523ceb3c3110f7be415b6194a9e996e4e1b3
SHA5120fc2cad4c4678a0e2f0549f690fb6980fd8e6441dae5b6a1ed81f27f3a6cd2f092b3f2b650da4a6a35da54a4ff933d3da27ba5e7640c6df9631530b17de0f2fc
-
Filesize
320KB
MD554aeff0c4fd8fc2e88e767ac2b0ea55d
SHA1cc71cb7d188f1bd86a2513ab51b7cf48f40a57ee
SHA256eb41da70b4797f753d6aa4e320b88eee9936bdad9a2c5a0a4036e077303760d6
SHA512d3ef262ec71e24a1f3d515332afe14a2bad30272fbadd5619363fcedcf53dfd7671aea8dd396a03935017235965581cfd2c1acd5d9437654e6d666d35dc31052
-
Filesize
280B
MD57e3c95ff7b9b373611a9c770cd73104b
SHA125d6fa3ddf52ec877a0326beaeb23c4d26698109
SHA25648aabdda7bf55bb32c21855025c725101efcf34b7b1b2bb0e390c686c4828d38
SHA512694e76ebf72e0097ae08e32bf10876a4c9110e2665151352cef880374d062fabf100a48c62391385a4aa2e4baa1cd4e7af3617a882214d935fb60e3ae29f3e10
-
Filesize
4KB
MD5b1003d4a1dd67a3664c0d197dfec91db
SHA178664d370202bc23f9a3ad9b97aeb0d918d3c5c6
SHA25603f1f9ff236c433874a4fb62754982ef27168ed93db81178f222c7b7332f8b7b
SHA5120e45a190d93893f9551e78563d1dd8619072c97a2ded5644ea241e04dbb67d30ead2387578afc769c1b6d9b1e1025c27321e232676f7b67263fb79f1d923c192
-
Filesize
596KB
MD5bad3aa8bfd42552d828c35c8202f43f6
SHA18e4baedd28bfa1b0cad3643a3dee24449a0a1df9
SHA256395f67fccccbea1c99cb243f2ff7994bfc211a19b3e3b583be219265b060d828
SHA512ec58caa9b81e0f590f38b2592fab525b2f1efd3ab7fe89009dfc6bf8cf35c713d487f2ae9038175545261e3071901ec82699e302b07159de0543727c8a430421