Analysis
-
max time kernel
49s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 22:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe
-
Size
604KB
-
MD5
c01efe28cc72f758cb5548c1b0f4afe1
-
SHA1
23a4aae9c403e8a8484e80780ad911459332bcd6
-
SHA256
b8fda1b4500ac5fa17c42f664f5708ce394b039f1a18fc7e526b714df784af6b
-
SHA512
b1ce44a9919ea0ee91cb3b6d94522656102d95e8c5589d13736045b1919d908fa17e6bf07921e4e94cdc54f3abdc15be3c8fe82a347f6ea955e6958e045ca316
-
SSDEEP
12288:UpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsdrvjXFkvOTT6TEF:UpUNr6YkVRFkgbeqeo68FhqCvLFtT6AF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ruvqshgobef.exe -
Pykspa family
-
UAC bypass 3 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001000000002ad9d-4.dat family_pykspa behavioral2/files/0x001900000002b358-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csldshfxkajqrzuzn.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "lcwpfvunbsckmvrxmf.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zocrkvkjwiaioovp.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngyrodwzqgcoycnltkjc.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aglrbdj = "zocrkvkjwiaioovp.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asjbxldfvkfqzcmjqge.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "vkcthvsjvksyyfzd.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "csldshfxkajqrzuzn.exe" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "lcwpfvunbsckmvrxmf.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aglrbdj = "ngyrodwzqgcoycnltkjc.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ckvfmtjty = "jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jowdhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ruvqshgobef.exe Set value (int) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ruvqshgobef.exe Set value (int) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jowdhl.exe Set value (int) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ruvqshgobef.exe -
Executes dropped EXE 64 IoCs
pid Process 1488 ruvqshgobef.exe 4532 jcytldezpiueitrzqlea.exe 4808 csldshfxkajqrzuzn.exe 3776 ruvqshgobef.exe 4840 csldshfxkajqrzuzn.exe 540 lcwpfvunbsckmvrxmf.exe 1232 ruvqshgobef.exe 1052 lcwpfvunbsckmvrxmf.exe 2256 vkcthvsjvksyyfzd.exe 4396 ruvqshgobef.exe 5824 vkcthvsjvksyyfzd.exe 2068 jcytldezpiueitrzqlea.exe 2520 ruvqshgobef.exe 1740 jowdhl.exe 1080 jowdhl.exe 3920 vkcthvsjvksyyfzd.exe 2596 jcytldezpiueitrzqlea.exe 1636 vkcthvsjvksyyfzd.exe 3936 jcytldezpiueitrzqlea.exe 1460 ruvqshgobef.exe 4320 ruvqshgobef.exe 804 csldshfxkajqrzuzn.exe 3456 ysplexzvmgtejvudvrlie.exe 2836 vkcthvsjvksyyfzd.exe 5948 ruvqshgobef.exe 968 lcwpfvunbsckmvrxmf.exe 5928 jcytldezpiueitrzqlea.exe 2988 lcwpfvunbsckmvrxmf.exe 3476 ysplexzvmgtejvudvrlie.exe 6124 ysplexzvmgtejvudvrlie.exe 3180 ruvqshgobef.exe 4636 ruvqshgobef.exe 2160 ruvqshgobef.exe 1160 lcwpfvunbsckmvrxmf.exe 5216 wojdullfumxgjtqxnhz.exe 4900 wojdullfumxgjtqxnhz.exe 4984 lcwpfvunbsckmvrxmf.exe 4592 ruvqshgobef.exe 4692 ruvqshgobef.exe 2468 csldshfxkajqrzuzn.exe 2880 csldshfxkajqrzuzn.exe 4400 ruvqshgobef.exe 2436 wojdullfumxgjtqxnhz.exe 5824 jcytldezpiueitrzqlea.exe 480 lcwpfvunbsckmvrxmf.exe 1804 ruvqshgobef.exe 2856 jcytldezpiueitrzqlea.exe 356 ruvqshgobef.exe 5692 lcwpfvunbsckmvrxmf.exe 4108 ysplexzvmgtejvudvrlie.exe 5176 ruvqshgobef.exe 4464 vkcthvsjvksyyfzd.exe 4060 ysplexzvmgtejvudvrlie.exe 3920 ruvqshgobef.exe 2404 csldshfxkajqrzuzn.exe 72 ysplexzvmgtejvudvrlie.exe 5896 jcytldezpiueitrzqlea.exe 3268 vkcthvsjvksyyfzd.exe 1936 vkcthvsjvksyyfzd.exe 1516 ruvqshgobef.exe 3928 wojdullfumxgjtqxnhz.exe 1620 ysplexzvmgtejvudvrlie.exe 3564 ruvqshgobef.exe 2700 ysplexzvmgtejvudvrlie.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager jowdhl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys jowdhl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jowdhl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jowdhl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys jowdhl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc jowdhl.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe ." jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe ." jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nswbkl = "ngyrodwzqgcoycnltkjc.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csldshfxkajqrzuzn.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "vkcthvsjvksyyfzd.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csldshfxkajqrzuzn.exe" jowdhl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mynbmxrfoafif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "wojdullfumxgjtqxnhz.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe ." jowdhl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe ." jowdhl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mynbmxrfoafif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\cgjnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zocrkvkjwiaioovp.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "wojdullfumxgjtqxnhz.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\cgjnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwnivmncqkucenjpe.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mynbmxrfoafif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "ysplexzvmgtejvudvrlie.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "lcwpfvunbsckmvrxmf.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcytldezpiueitrzqlea.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\veqbjritzi = "wojdullfumxgjtqxnhz.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nswbkl = "cwpjhxrvnebozeqpyqqkd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mynbmxrfoafif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\veqbjritzi = "vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "csldshfxkajqrzuzn.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "lcwpfvunbsckmvrxmf.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "wojdullfumxgjtqxnhz.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysplexzvmgtejvudvrlie.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lsclrxmv = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mynbmxrfoafif = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\veqbjritzi = "vkcthvsjvksyyfzd.exe" jowdhl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\Run\wcltydr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwpfvunbsckmvrxmf.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nymzjtmzhswy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wojdullfumxgjtqxnhz.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "vkcthvsjvksyyfzd.exe ." ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "wojdullfumxgjtqxnhz.exe" ruvqshgobef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcltydr = "vkcthvsjvksyyfzd.exe" jowdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgjnv = "cwpjhxrvnebozeqpyqqkd.exe" ruvqshgobef.exe Set value (str) \REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qanzirjvcmp = "jcytldezpiueitrzqlea.exe ." ruvqshgobef.exe -
Checks whether UAC is enabled 1 TTPs 52 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jowdhl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ruvqshgobef.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyip.everdot.org 5 www.whatismyip.ca 1 whatismyip.everdot.org 1 www.showmyipaddress.com 1 whatismyipaddress.com 1 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe jowdhl.exe File created C:\Windows\SysWOW64\deillluxvwqiuntjilmqtttc.dey jowdhl.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\mynbmxrfoafifjablzlaozkesbnsvswnoym.nbm jowdhl.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\ysplexzvmgtejvudvrlie.exe jowdhl.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\SysWOW64\csldshfxkajqrzuzn.exe ruvqshgobef.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\deillluxvwqiuntjilmqtttc.dey jowdhl.exe File opened for modification C:\Program Files (x86)\mynbmxrfoafifjablzlaozkesbnsvswnoym.nbm jowdhl.exe File created C:\Program Files (x86)\mynbmxrfoafifjablzlaozkesbnsvswnoym.nbm jowdhl.exe File opened for modification C:\Program Files (x86)\deillluxvwqiuntjilmqtttc.dey jowdhl.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\csldshfxkajqrzuzn.exe jowdhl.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe jowdhl.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe jowdhl.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe jowdhl.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe jowdhl.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe jowdhl.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe jowdhl.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\pkifztwtlgugmzzjczuspj.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\wojdullfumxgjtqxnhz.exe ruvqshgobef.exe File opened for modification C:\Windows\jcytldezpiueitrzqlea.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\vkcthvsjvksyyfzd.exe ruvqshgobef.exe File opened for modification C:\Windows\mynbmxrfoafifjablzlaozkesbnsvswnoym.nbm jowdhl.exe File opened for modification C:\Windows\ysplexzvmgtejvudvrlie.exe ruvqshgobef.exe File opened for modification C:\Windows\csldshfxkajqrzuzn.exe ruvqshgobef.exe File opened for modification C:\Windows\lcwpfvunbsckmvrxmf.exe jowdhl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cwpjhxrvnebozeqpyqqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language asjbxldfvkfqzcmjqge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngyrodwzqgcoycnltkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruvqshgobef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cwpjhxrvnebozeqpyqqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zocrkvkjwiaioovp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gwlbvhxxlyrahiqlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngyrodwzqgcoycnltkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lcwpfvunbsckmvrxmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vkcthvsjvksyyfzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csldshfxkajqrzuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysplexzvmgtejvudvrlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jcytldezpiueitrzqlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zocrkvkjwiaioovp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wojdullfumxgjtqxnhz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 1740 jowdhl.exe 1740 jowdhl.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 1740 jowdhl.exe 1740 jowdhl.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1740 jowdhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 1488 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 80 PID 2736 wrote to memory of 1488 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 80 PID 2736 wrote to memory of 1488 2736 JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe 80 PID 1296 wrote to memory of 4532 1296 cmd.exe 83 PID 1296 wrote to memory of 4532 1296 cmd.exe 83 PID 1296 wrote to memory of 4532 1296 cmd.exe 83 PID 2356 wrote to memory of 4808 2356 cmd.exe 86 PID 2356 wrote to memory of 4808 2356 cmd.exe 86 PID 2356 wrote to memory of 4808 2356 cmd.exe 86 PID 4808 wrote to memory of 3776 4808 csldshfxkajqrzuzn.exe 87 PID 4808 wrote to memory of 3776 4808 csldshfxkajqrzuzn.exe 87 PID 4808 wrote to memory of 3776 4808 csldshfxkajqrzuzn.exe 87 PID 4228 wrote to memory of 4840 4228 cmd.exe 90 PID 4228 wrote to memory of 4840 4228 cmd.exe 90 PID 4228 wrote to memory of 4840 4228 cmd.exe 90 PID 4784 wrote to memory of 540 4784 cmd.exe 93 PID 4784 wrote to memory of 540 4784 cmd.exe 93 PID 4784 wrote to memory of 540 4784 cmd.exe 93 PID 540 wrote to memory of 1232 540 lcwpfvunbsckmvrxmf.exe 96 PID 540 wrote to memory of 1232 540 lcwpfvunbsckmvrxmf.exe 96 PID 540 wrote to memory of 1232 540 lcwpfvunbsckmvrxmf.exe 96 PID 3624 wrote to memory of 1052 3624 cmd.exe 98 PID 3624 wrote to memory of 1052 3624 cmd.exe 98 PID 3624 wrote to memory of 1052 3624 cmd.exe 98 PID 1772 wrote to memory of 2256 1772 cmd.exe 100 PID 1772 wrote to memory of 2256 1772 cmd.exe 100 PID 1772 wrote to memory of 2256 1772 cmd.exe 100 PID 2256 wrote to memory of 4396 2256 vkcthvsjvksyyfzd.exe 101 PID 2256 wrote to memory of 4396 2256 vkcthvsjvksyyfzd.exe 101 PID 2256 wrote to memory of 4396 2256 vkcthvsjvksyyfzd.exe 101 PID 3648 wrote to memory of 5824 3648 cmd.exe 104 PID 3648 wrote to memory of 5824 3648 cmd.exe 104 PID 3648 wrote to memory of 5824 3648 cmd.exe 104 PID 5836 wrote to memory of 2068 5836 cmd.exe 107 PID 5836 wrote to memory of 2068 5836 cmd.exe 107 PID 5836 wrote to memory of 2068 5836 cmd.exe 107 PID 2068 wrote to memory of 2520 2068 jcytldezpiueitrzqlea.exe 108 PID 2068 wrote to memory of 2520 2068 jcytldezpiueitrzqlea.exe 108 PID 2068 wrote to memory of 2520 2068 jcytldezpiueitrzqlea.exe 108 PID 1488 wrote to memory of 1740 1488 ruvqshgobef.exe 109 PID 1488 wrote to memory of 1740 1488 ruvqshgobef.exe 109 PID 1488 wrote to memory of 1740 1488 ruvqshgobef.exe 109 PID 1488 wrote to memory of 1080 1488 ruvqshgobef.exe 110 PID 1488 wrote to memory of 1080 1488 ruvqshgobef.exe 110 PID 1488 wrote to memory of 1080 1488 ruvqshgobef.exe 110 PID 2640 wrote to memory of 3920 2640 cmd.exe 113 PID 2640 wrote to memory of 3920 2640 cmd.exe 113 PID 2640 wrote to memory of 3920 2640 cmd.exe 113 PID 3268 wrote to memory of 2596 3268 cmd.exe 116 PID 3268 wrote to memory of 2596 3268 cmd.exe 116 PID 3268 wrote to memory of 2596 3268 cmd.exe 116 PID 104 wrote to memory of 1636 104 cmd.exe 119 PID 104 wrote to memory of 1636 104 cmd.exe 119 PID 104 wrote to memory of 1636 104 cmd.exe 119 PID 4392 wrote to memory of 3936 4392 cmd.exe 122 PID 4392 wrote to memory of 3936 4392 cmd.exe 122 PID 4392 wrote to memory of 3936 4392 cmd.exe 122 PID 1636 wrote to memory of 1460 1636 vkcthvsjvksyyfzd.exe 125 PID 1636 wrote to memory of 1460 1636 vkcthvsjvksyyfzd.exe 125 PID 1636 wrote to memory of 1460 1636 vkcthvsjvksyyfzd.exe 125 PID 3936 wrote to memory of 4320 3936 jcytldezpiueitrzqlea.exe 326 PID 3936 wrote to memory of 4320 3936 jcytldezpiueitrzqlea.exe 326 PID 3936 wrote to memory of 4320 3936 jcytldezpiueitrzqlea.exe 326 PID 4340 wrote to memory of 804 4340 cmd.exe 127 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jowdhl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jowdhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ruvqshgobef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ruvqshgobef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c01efe28cc72f758cb5548c1b0f4afe1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\jowdhl.exe"C:\Users\Admin\AppData\Local\Temp\jowdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\jowdhl.exe"C:\Users\Admin\AppData\Local\Temp\jowdhl.exe" "-C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵
- Executes dropped EXE
PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵
- Executes dropped EXE
PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵
- Executes dropped EXE
PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵
- Executes dropped EXE
PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5836 -
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:104 -
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵
- Executes dropped EXE
PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵
- Executes dropped EXE
PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:3868
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵
- Executes dropped EXE
PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:4084
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:1008
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵
- Executes dropped EXE
PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- Executes dropped EXE
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Executes dropped EXE
PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- Executes dropped EXE
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Executes dropped EXE
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵
- Executes dropped EXE
PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4872
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:4492
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵
- Executes dropped EXE
PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:976
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:672
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵
- Executes dropped EXE
PID:480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵
- Executes dropped EXE
PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:4328
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:5320
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵
- Executes dropped EXE
PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:3728
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:3752
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵
- Executes dropped EXE
PID:72
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:676
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵
- Executes dropped EXE
PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:3756
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵
- Executes dropped EXE
PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:1448
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵
- Executes dropped EXE
PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2836
-
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:3000
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:3868
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:3380
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:780
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:3076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5168
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5176
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5812
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:6124
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:3232
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5896
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5476
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5232
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5252
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:716
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5340
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1920
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5620
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:5160
-
-
C:\Users\Admin\AppData\Local\Temp\cgjnv.exe"C:\Users\Admin\AppData\Local\Temp\cgjnv.exe" "-C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe"4⤵PID:3304
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:4860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:4808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:3912
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:8
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2436
-
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c asjbxldfvkfqzcmjqge.exe1⤵PID:5776
-
C:\Windows\asjbxldfvkfqzcmjqge.exeasjbxldfvkfqzcmjqge.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5916
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:5984
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pgwnivmncqkucenjpe.exe .1⤵PID:5276
-
C:\Windows\pgwnivmncqkucenjpe.exepgwnivmncqkucenjpe.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\pgwnivmncqkucenjpe.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:4252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe1⤵PID:5468
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe2⤵
- System Location Discovery: System Language Discovery
PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:1336
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exeC:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe2⤵
- System Location Discovery: System Language Discovery
PID:72
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exeC:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\asjbxldfvkfqzcmjqge.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exeC:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exeC:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe .2⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\pgwnivmncqkucenjpe.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5956
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:6132
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:2076
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4084
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4840
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:3776
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5036
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:2176
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gwlbvhxxlyrahiqlq.exe1⤵PID:5028
-
C:\Windows\gwlbvhxxlyrahiqlq.exegwlbvhxxlyrahiqlq.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gwlbvhxxlyrahiqlq.exe .1⤵PID:3048
-
C:\Windows\gwlbvhxxlyrahiqlq.exegwlbvhxxlyrahiqlq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\gwlbvhxxlyrahiqlq.exe*."3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c asjbxldfvkfqzcmjqge.exe1⤵PID:5692
-
C:\Windows\asjbxldfvkfqzcmjqge.exeasjbxldfvkfqzcmjqge.exe2⤵PID:276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngyrodwzqgcoycnltkjc.exe .1⤵PID:3736
-
C:\Windows\ngyrodwzqgcoycnltkjc.exengyrodwzqgcoycnltkjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ngyrodwzqgcoycnltkjc.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exeC:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exeC:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:4060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1924
-
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exeC:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exe .1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exeC:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\gwlbvhxxlyrahiqlq.exe*."3⤵PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:3756
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:1460
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:5480
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:5068
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:3276
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5092
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:5308
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:5108
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:5780
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:2664
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:2848
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:5612
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:560
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:2600
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:5320
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:2132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:3928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3564
-
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:1388
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:2620
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:4276
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4624
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4532
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6136
-
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:1724
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:4292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3324
-
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:5184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5084
-
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:5016
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4484
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:1476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:2296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:356 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:5240
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:5248
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:4672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:228
-
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:5140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5268
-
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:3520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:2620
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:6124
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:1492
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:2508
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:5004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5324
-
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe1⤵PID:4788
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe2⤵PID:5204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngyrodwzqgcoycnltkjc.exe .1⤵PID:3352
-
C:\Windows\ngyrodwzqgcoycnltkjc.exengyrodwzqgcoycnltkjc.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ngyrodwzqgcoycnltkjc.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:4320
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c asjbxldfvkfqzcmjqge.exe1⤵PID:3776
-
C:\Windows\asjbxldfvkfqzcmjqge.exeasjbxldfvkfqzcmjqge.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zocrkvkjwiaioovp.exe .1⤵PID:5584
-
C:\Windows\zocrkvkjwiaioovp.exezocrkvkjwiaioovp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\zocrkvkjwiaioovp.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:5592
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exe1⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exeC:\Users\Admin\AppData\Local\Temp\gwlbvhxxlyrahiqlq.exe2⤵PID:5820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exeC:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\asjbxldfvkfqzcmjqge.exe*."3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:4008
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:2876
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe1⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exeC:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exeC:\Users\Admin\AppData\Local\Temp\asjbxldfvkfqzcmjqge.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\asjbxldfvkfqzcmjqge.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:4148
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:3936
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:2164
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:2600
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:1448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:1212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6088
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:5548
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:2160
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:3168
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4652
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:3292
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:1556
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:5184
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:2548
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:1956
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:4828
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:5984
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:3448
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:4856
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:1636
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:4896
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:1996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4324
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:2996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6092
-
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:1036
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:412 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:3396
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:4380
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:3760
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:4344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:1580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1232
-
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:5488
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:2324
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:5952
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:2816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:4104
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:5612
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:1372
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:2712
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:436
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:2476
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zocrkvkjwiaioovp.exe1⤵PID:804
-
C:\Windows\zocrkvkjwiaioovp.exezocrkvkjwiaioovp.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:5056
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:5168
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:1096
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c asjbxldfvkfqzcmjqge.exe1⤵PID:656
-
C:\Windows\asjbxldfvkfqzcmjqge.exeasjbxldfvkfqzcmjqge.exe2⤵PID:852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:4632
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exeC:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe2⤵PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exeC:\Users\Admin\AppData\Local\Temp\ngyrodwzqgcoycnltkjc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ngyrodwzqgcoycnltkjc.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe1⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exeC:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exeC:\Users\Admin\AppData\Local\Temp\cwpjhxrvnebozeqpyqqkd.exe .2⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5768
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:5776
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:5568
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:4156
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:5520
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:4576
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:5072
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:3928
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:356
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:2508
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:5060
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:1456
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:2476
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:1460
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:4492
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:1156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:104
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:5068
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:5124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:2436
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:4404
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:4804
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:660
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:6008
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe .1⤵PID:5372
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\lcwpfvunbsckmvrxmf.exe*."3⤵PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:5616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:4656
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:3036
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:2404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:356
-
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:2356
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:5764
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:4956
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe .1⤵PID:2176
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe .2⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\ysplexzvmgtejvudvrlie.exe*."3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lcwpfvunbsckmvrxmf.exe1⤵PID:572
-
C:\Windows\lcwpfvunbsckmvrxmf.exelcwpfvunbsckmvrxmf.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:3008
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5424
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:1640
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe .2⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\lcwpfvunbsckmvrxmf.exe*."3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysplexzvmgtejvudvrlie.exe1⤵PID:4224
-
C:\Windows\ysplexzvmgtejvudvrlie.exeysplexzvmgtejvudvrlie.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe .1⤵PID:3516
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe .2⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\jcytldezpiueitrzqlea.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c asjbxldfvkfqzcmjqge.exe1⤵PID:5876
-
C:\Windows\asjbxldfvkfqzcmjqge.exeasjbxldfvkfqzcmjqge.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:5580
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:1592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:484
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe .1⤵PID:2916
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe .2⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\cwpjhxrvnebozeqpyqqkd.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exeC:\Users\Admin\AppData\Local\Temp\jcytldezpiueitrzqlea.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\jcytldezpiueitrzqlea.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cwpjhxrvnebozeqpyqqkd.exe1⤵PID:1212
-
C:\Windows\cwpjhxrvnebozeqpyqqkd.execwpjhxrvnebozeqpyqqkd.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gwlbvhxxlyrahiqlq.exe .1⤵PID:2768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2748
-
-
C:\Windows\gwlbvhxxlyrahiqlq.exegwlbvhxxlyrahiqlq.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\gwlbvhxxlyrahiqlq.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exeC:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe .1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exeC:\Users\Admin\AppData\Local\Temp\pgwnivmncqkucenjpe.exe .2⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\pgwnivmncqkucenjpe.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exeC:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe .1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exeC:\Users\Admin\AppData\Local\Temp\zocrkvkjwiaioovp.exe .2⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\zocrkvkjwiaioovp.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:5764
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:5988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3468
-
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:5036
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:4140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:4964
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .1⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe .2⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\ysplexzvmgtejvudvrlie.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4692
-
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe .1⤵PID:276
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\vkcthvsjvksyyfzd.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:2864
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe .1⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5008
-
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe .2⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\csldshfxkajqrzuzn.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exeC:\Users\Admin\AppData\Local\Temp\lcwpfvunbsckmvrxmf.exe2⤵PID:576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .1⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe .2⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\csldshfxkajqrzuzn.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:4328
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:3412
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vkcthvsjvksyyfzd.exe1⤵PID:1364
-
C:\Windows\vkcthvsjvksyyfzd.exevkcthvsjvksyyfzd.exe2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:4932
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exeC:\Users\Admin\AppData\Local\Temp\csldshfxkajqrzuzn.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\vkcthvsjvksyyfzd.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exeC:\Users\Admin\AppData\Local\Temp\vkcthvsjvksyyfzd.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exeC:\Users\Admin\AppData\Local\Temp\wojdullfumxgjtqxnhz.exe .2⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\users\admin\appdata\local\temp\wojdullfumxgjtqxnhz.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c csldshfxkajqrzuzn.exe1⤵PID:2088
-
C:\Windows\csldshfxkajqrzuzn.execsldshfxkajqrzuzn.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:6008
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jcytldezpiueitrzqlea.exe1⤵PID:5484
-
C:\Windows\jcytldezpiueitrzqlea.exejcytldezpiueitrzqlea.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe .1⤵PID:5568
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe"C:\Users\Admin\AppData\Local\Temp\ruvqshgobef.exe" "c:\windows\wojdullfumxgjtqxnhz.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wojdullfumxgjtqxnhz.exe1⤵PID:3380
-
C:\Windows\wojdullfumxgjtqxnhz.exewojdullfumxgjtqxnhz.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe1⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exeC:\Users\Admin\AppData\Local\Temp\ysplexzvmgtejvudvrlie.exe2⤵PID:5192
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD569b8aa2d47a6fe602b40fcb40d4fb7c1
SHA1e0876e899882655138e2345d2a6c43521df4e885
SHA2567679ddf56cc465fe934b59fe6807b34be3da17a4a0105867aec4da89dc178bbf
SHA51263098d9b3161cb13385185ad21e68c2855925c0996cef397281b3a4dbaf15e0b77026b078842168773b5d49d0289acca310ef9f03a6f350d2b871b8fa3742587
-
Filesize
280B
MD5908c4d042032c615a08d70a87a6e68b4
SHA181cc396d2feee664a063a7427ce5df60f5944a8a
SHA2568183e656d44f50d41e75e5047cc5c71993c6b9d2c7a1bebd7cf4dfa95140305e
SHA51299d85f7e1ce5e1ddc015417f39b64bc5377de0c75d639b0528dfe263a291cb5931928bdc827854dc6af32cf08051fe7d11d258f8941df0083d350d0ac65148ca
-
Filesize
280B
MD5fc074933f8a1433ba6d96b52ab0bcf7b
SHA12f9de2fb647e55bb6f99846e8d2372c9d65cd4f9
SHA25685a229479a885cd22c8cc737eebba019f17b4aca7564c5dbfb0ce9ae13573723
SHA51217aa51846bad33e050c20acc88278d6d24761d8c6fcebe0253913a912dbcdae97ad8f21e419b04e54f1d03ea5b00c6af110c2bc66ee97827853eb2e5f5ce08b6
-
Filesize
280B
MD551f092c53125da0d7d943a2578cf1dd3
SHA198098e9a9ef2b447461fefbe0d757b558291e00a
SHA256a8a1bb1ef9f7ef68591df5cce609e9d5dd5809eec6c7e197329401294fa2266f
SHA5124b2e31ebf3df5443949202a9fb01072d5a8fa6f668c92e02eea03de1b1589317dd0cad3e8b5a8f233ab3520badd9be1354891f97ea3d9d2ab2f6e0d2fe3c85a6
-
Filesize
684KB
MD5c347f6a24fb5c357f2f1bfbf7151082f
SHA13cdeecdc5aab8df26fd4bbe8d93eeb5946738c00
SHA2568fb5ddf04592263a6e31ced33e92d9a605e5c16beea012105fa355d5c40bc115
SHA5121abe26599d1c8bb6ae447232b29b79fa1d44fb8b77105f2ae28980a1e6ee761818390019c267fd6b75e004879ac598bbb74667379c1edf7876a423334f7138f2
-
Filesize
320KB
MD526f398c93a993fd88b127cbbe3f5956d
SHA11e505dfce27ce2fa6683666f8facc77548e13251
SHA2563510d4469cc4a796aa05419029062d7e32ceceadd441dd76fd18a55d3d12629a
SHA512e57a71e504f870719500f39bea7b9700bc97d11122c6cd6270bc05a9902888df15d5232b987cbd862fa6f5cb9cec52958288af83625930383bdbb19e32857f4c
-
Filesize
280B
MD565a7b3923e05bb5887ac241c47df55c7
SHA1ab09880c24edf8d6f677aa34a4f74e8b5869d50c
SHA25698c72c7e8e8125df68a11a451a34c097354d64da07fbc7116bc696106672f4b4
SHA5122b439435e24df2eb0d106cc88887cbf6a3111b58c62145fb9415e9c16efc3f3526507def0177b7d1413898a669049adff8d6319c947143e48c654b13bbb34b8d
-
Filesize
4KB
MD543f41e685ca623ec0bc660c71b940006
SHA12279e83d1dd4e86e28342757a58f668d44f654d0
SHA2569130df3168b76b94cc17faa9b19b5282b70d20788bb2bc55412c28160bc0e465
SHA5120cb14bf103846884dd095ebb0daa5c81c976ac706ab874c0e16a581a374e0d667ae9885c8c7166cedb1d5c4f37b0743f43f490cac3b3298fa49e8f9eabb2a056
-
Filesize
604KB
MD5c01efe28cc72f758cb5548c1b0f4afe1
SHA123a4aae9c403e8a8484e80780ad911459332bcd6
SHA256b8fda1b4500ac5fa17c42f664f5708ce394b039f1a18fc7e526b714df784af6b
SHA512b1ce44a9919ea0ee91cb3b6d94522656102d95e8c5589d13736045b1919d908fa17e6bf07921e4e94cdc54f3abdc15be3c8fe82a347f6ea955e6958e045ca316