Analysis
-
max time kernel
60s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250411-en -
resource tags
arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
Resource
win11-20250411-en
General
-
Target
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
-
Size
968KB
-
MD5
bbd7b871140426c0f77e65b9c18dbcf1
-
SHA1
f107fdc5b346882994efb09ba63b85e696679e4d
-
SHA256
2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
-
SHA512
c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322
-
SSDEEP
12288:/pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0yDYilDLvxtJzzxHs0oPYJaf4Db:/pUNr6YkVRFkgbeqeo68FhqsnvzKT+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe -
Pykspa family
-
UAC bypass 3 TTPs 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001200000002accc-4.dat family_pykspa behavioral2/files/0x001900000002b0ca-104.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "tsfaxmjcujckrvpflvx.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zorcpuhqy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kciwmukwhpbc = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe -
Disables RegEdit via registry modification 27 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe -
Executes dropped EXE 64 IoCs
pid Process 1048 oonjvdbdyyx.exe 5036 igsmiwskbphouxqfkt.exe 5020 vwlihyxsmdyirxtltfjkz.exe 3480 oonjvdbdyyx.exe 6012 tsfaxmjcujckrvpflvx.exe 464 igsmiwskbphouxqfkt.exe 4324 oonjvdbdyyx.exe 4444 zwhavidukxouzbthl.exe 2748 soyqkwqgvhxcghyl.exe 3576 oonjvdbdyyx.exe 5324 tsfaxmjcujckrvpflvx.exe 5468 soyqkwqgvhxcghyl.exe 2820 oonjvdbdyyx.exe 1604 tghqbep.exe 2808 tghqbep.exe 2372 tsfaxmjcujckrvpflvx.exe 1680 gguqoecwpfziqvqhozcc.exe 2116 tsfaxmjcujckrvpflvx.exe 3408 gguqoecwpfziqvqhozcc.exe 3484 oonjvdbdyyx.exe 4868 oonjvdbdyyx.exe 5828 vwlihyxsmdyirxtltfjkz.exe 3800 zwhavidukxouzbthl.exe 6024 gguqoecwpfziqvqhozcc.exe 5376 gguqoecwpfziqvqhozcc.exe 5196 tsfaxmjcujckrvpflvx.exe 5356 gguqoecwpfziqvqhozcc.exe 3616 oonjvdbdyyx.exe 5748 oonjvdbdyyx.exe 1628 tsfaxmjcujckrvpflvx.exe 1544 tsfaxmjcujckrvpflvx.exe 5760 oonjvdbdyyx.exe 6008 oonjvdbdyyx.exe 3716 soyqkwqgvhxcghyl.exe 4872 igsmiwskbphouxqfkt.exe 4928 soyqkwqgvhxcghyl.exe 5064 gguqoecwpfziqvqhozcc.exe 5060 oonjvdbdyyx.exe 4860 oonjvdbdyyx.exe 4856 vwlihyxsmdyirxtltfjkz.exe 4032 gguqoecwpfziqvqhozcc.exe 4296 oonjvdbdyyx.exe 5512 igsmiwskbphouxqfkt.exe 1964 vwlihyxsmdyirxtltfjkz.exe 5460 gguqoecwpfziqvqhozcc.exe 4260 oonjvdbdyyx.exe 2980 zwhavidukxouzbthl.exe 2748 oonjvdbdyyx.exe 3340 vwlihyxsmdyirxtltfjkz.exe 4472 gguqoecwpfziqvqhozcc.exe 2344 oonjvdbdyyx.exe 5836 gguqoecwpfziqvqhozcc.exe 2948 zwhavidukxouzbthl.exe 3088 oonjvdbdyyx.exe 5260 soyqkwqgvhxcghyl.exe 3952 vwlihyxsmdyirxtltfjkz.exe 832 gguqoecwpfziqvqhozcc.exe 656 oonjvdbdyyx.exe 2416 igsmiwskbphouxqfkt.exe 1084 tsfaxmjcujckrvpflvx.exe 5624 soyqkwqgvhxcghyl.exe 4812 gguqoecwpfziqvqhozcc.exe 6000 oonjvdbdyyx.exe 5408 gguqoecwpfziqvqhozcc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager tghqbep.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys tghqbep.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc tghqbep.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power tghqbep.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys tghqbep.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc tghqbep.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "igsmiwskbphouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "tsfaxmjcujckrvpflvx.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "igsmiwskbphouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe" tghqbep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "soyqkwqgvhxcghyl.exe" tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igsmiwskbphouxqfkt.exe ." tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "vwlihyxsmdyirxtltfjkz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "zwhavidukxouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "zwhavidukxouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gguqoecwpfziqvqhozcc.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwhavidukxouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "igsmiwskbphouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niribmfuitimppf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "soyqkwqgvhxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "tsfaxmjcujckrvpflvx.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "soyqkwqgvhxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\simymsgqzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\soyqkwqgvhxcghyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vwlihyxsmdyirxtltfjkz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kemcuewkxhvyaz = "vwlihyxsmdyirxtltfjkz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nejwlshscju = "gguqoecwpfziqvqhozcc.exe ." tghqbep.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcjypypcoxkmn = "gguqoecwpfziqvqhozcc.exe" oonjvdbdyyx.exe -
Checks whether UAC is enabled 1 TTPs 50 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tghqbep.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tghqbep.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tghqbep.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyip.everdot.org 1 whatismyipaddress.com 2 www.showmyipaddress.com 2 www.whatismyip.ca 2 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf tghqbep.exe File opened for modification F:\autorun.inf tghqbep.exe File created F:\autorun.inf tghqbep.exe File opened for modification C:\autorun.inf tghqbep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe tghqbep.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe tghqbep.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wcwycyccbxxmalmjwnwcwy.ycc tghqbep.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe tghqbep.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe tghqbep.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc tghqbep.exe File created C:\Program Files (x86)\wcwycyccbxxmalmjwnwcwy.ycc tghqbep.exe File opened for modification C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt tghqbep.exe File created C:\Program Files (x86)\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt tghqbep.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe tghqbep.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe tghqbep.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe tghqbep.exe File created C:\Windows\wcwycyccbxxmalmjwnwcwy.ycc tghqbep.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe tghqbep.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\igsmiwskbphouxqfkt.exe tghqbep.exe File opened for modification C:\Windows\nejwlshscjuutpbjhjduzmbixiszkkjfr.xzt tghqbep.exe File opened for modification C:\Windows\gguqoecwpfziqvqhozcc.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\vwlihyxsmdyirxtltfjkz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\moeccuuqldzkubyransuki.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tsfaxmjcujckrvpflvx.exe oonjvdbdyyx.exe File opened for modification C:\Windows\zwhavidukxouzbthl.exe tghqbep.exe File opened for modification C:\Windows\soyqkwqgvhxcghyl.exe oonjvdbdyyx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oonjvdbdyyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsfaxmjcujckrvpflvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tghqbep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwlihyxsmdyirxtltfjkz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igsmiwskbphouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zwhavidukxouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguqoecwpfziqvqhozcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soyqkwqgvhxcghyl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2808 tghqbep.exe 2808 tghqbep.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2808 tghqbep.exe 2808 tghqbep.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2808 tghqbep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1048 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 78 PID 2056 wrote to memory of 1048 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 78 PID 2056 wrote to memory of 1048 2056 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 78 PID 4736 wrote to memory of 5036 4736 cmd.exe 81 PID 4736 wrote to memory of 5036 4736 cmd.exe 81 PID 4736 wrote to memory of 5036 4736 cmd.exe 81 PID 5076 wrote to memory of 5020 5076 cmd.exe 84 PID 5076 wrote to memory of 5020 5076 cmd.exe 84 PID 5076 wrote to memory of 5020 5076 cmd.exe 84 PID 5020 wrote to memory of 3480 5020 vwlihyxsmdyirxtltfjkz.exe 85 PID 5020 wrote to memory of 3480 5020 vwlihyxsmdyirxtltfjkz.exe 85 PID 5020 wrote to memory of 3480 5020 vwlihyxsmdyirxtltfjkz.exe 85 PID 3236 wrote to memory of 6012 3236 cmd.exe 88 PID 3236 wrote to memory of 6012 3236 cmd.exe 88 PID 3236 wrote to memory of 6012 3236 cmd.exe 88 PID 3512 wrote to memory of 464 3512 cmd.exe 91 PID 3512 wrote to memory of 464 3512 cmd.exe 91 PID 3512 wrote to memory of 464 3512 cmd.exe 91 PID 464 wrote to memory of 4324 464 igsmiwskbphouxqfkt.exe 94 PID 464 wrote to memory of 4324 464 igsmiwskbphouxqfkt.exe 94 PID 464 wrote to memory of 4324 464 igsmiwskbphouxqfkt.exe 94 PID 2364 wrote to memory of 4444 2364 cmd.exe 95 PID 2364 wrote to memory of 4444 2364 cmd.exe 95 PID 2364 wrote to memory of 4444 2364 cmd.exe 95 PID 4784 wrote to memory of 2748 4784 cmd.exe 98 PID 4784 wrote to memory of 2748 4784 cmd.exe 98 PID 4784 wrote to memory of 2748 4784 cmd.exe 98 PID 2748 wrote to memory of 3576 2748 soyqkwqgvhxcghyl.exe 99 PID 2748 wrote to memory of 3576 2748 soyqkwqgvhxcghyl.exe 99 PID 2748 wrote to memory of 3576 2748 soyqkwqgvhxcghyl.exe 99 PID 2000 wrote to memory of 5324 2000 cmd.exe 102 PID 2000 wrote to memory of 5324 2000 cmd.exe 102 PID 2000 wrote to memory of 5324 2000 cmd.exe 102 PID 1368 wrote to memory of 5468 1368 cmd.exe 105 PID 1368 wrote to memory of 5468 1368 cmd.exe 105 PID 1368 wrote to memory of 5468 1368 cmd.exe 105 PID 5468 wrote to memory of 2820 5468 soyqkwqgvhxcghyl.exe 106 PID 5468 wrote to memory of 2820 5468 soyqkwqgvhxcghyl.exe 106 PID 5468 wrote to memory of 2820 5468 soyqkwqgvhxcghyl.exe 106 PID 1048 wrote to memory of 1604 1048 oonjvdbdyyx.exe 107 PID 1048 wrote to memory of 1604 1048 oonjvdbdyyx.exe 107 PID 1048 wrote to memory of 1604 1048 oonjvdbdyyx.exe 107 PID 1048 wrote to memory of 2808 1048 oonjvdbdyyx.exe 108 PID 1048 wrote to memory of 2808 1048 oonjvdbdyyx.exe 108 PID 1048 wrote to memory of 2808 1048 oonjvdbdyyx.exe 108 PID 3864 wrote to memory of 2372 3864 cmd.exe 114 PID 3864 wrote to memory of 2372 3864 cmd.exe 114 PID 3864 wrote to memory of 2372 3864 cmd.exe 114 PID 3984 wrote to memory of 1680 3984 cmd.exe 113 PID 3984 wrote to memory of 1680 3984 cmd.exe 113 PID 3984 wrote to memory of 1680 3984 cmd.exe 113 PID 5992 wrote to memory of 2116 5992 cmd.exe 119 PID 5992 wrote to memory of 2116 5992 cmd.exe 119 PID 5992 wrote to memory of 2116 5992 cmd.exe 119 PID 6088 wrote to memory of 3408 6088 cmd.exe 120 PID 6088 wrote to memory of 3408 6088 cmd.exe 120 PID 6088 wrote to memory of 3408 6088 cmd.exe 120 PID 2116 wrote to memory of 3484 2116 tsfaxmjcujckrvpflvx.exe 124 PID 2116 wrote to memory of 3484 2116 tsfaxmjcujckrvpflvx.exe 124 PID 2116 wrote to memory of 3484 2116 tsfaxmjcujckrvpflvx.exe 124 PID 3408 wrote to memory of 4868 3408 gguqoecwpfziqvqhozcc.exe 126 PID 3408 wrote to memory of 4868 3408 gguqoecwpfziqvqhozcc.exe 126 PID 3408 wrote to memory of 4868 3408 gguqoecwpfziqvqhozcc.exe 126 PID 4892 wrote to memory of 5828 4892 cmd.exe 131 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tghqbep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tghqbep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tghqbep.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\tghqbep.exe"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\tghqbep.exe"C:\Users\Admin\AppData\Local\Temp\tghqbep.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Executes dropped EXE
PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵
- Executes dropped EXE
PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵
- Executes dropped EXE
PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵
- Executes dropped EXE
PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵
- Executes dropped EXE
PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5468 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵
- Executes dropped EXE
PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵
- Executes dropped EXE
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5992 -
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵
- Executes dropped EXE
PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:1840
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵
- Executes dropped EXE
PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵
- Executes dropped EXE
PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:2108
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:2812
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵
- Executes dropped EXE
PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵
- Executes dropped EXE
PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Executes dropped EXE
PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Executes dropped EXE
PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵
- Executes dropped EXE
PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵
- Executes dropped EXE
PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:768
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:4848
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵
- Executes dropped EXE
PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4304
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵
- Executes dropped EXE
PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3216
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵
- Executes dropped EXE
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Executes dropped EXE
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵
- Executes dropped EXE
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵
- Executes dropped EXE
PID:2748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵
- Executes dropped EXE
PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:3156
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:3140
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵
- Executes dropped EXE
PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:1364
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵
- Executes dropped EXE
PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3272
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵
- Executes dropped EXE
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Executes dropped EXE
PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4176
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵
- Executes dropped EXE
PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:4092
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵
- Executes dropped EXE
PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵
- Executes dropped EXE
PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:4040
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:5904
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:1372
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:2340
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:2448
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:2488
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:2788
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:3108
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:5132
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:2244
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:2960
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:5260
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:5736
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:2500
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:848 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:6088
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:1588
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:5980
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:4480
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:4012
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:4112
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3900
-
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4912
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:2300
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2976
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4128
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2436
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:656 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5928
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:6020
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:5684
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2952
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:1792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4780
-
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1048
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:1160
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:4776
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5952
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:6100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:552
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:1404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:3804
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5804
-
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:4852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5516
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:4080
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:908
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:3108
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4148
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:2960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5268
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3696
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5552
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:1388
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:5564
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:3336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:1476
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1160
-
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:5504
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:2924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5656
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4324
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:2732
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:3048
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4316
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:2852
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:1680
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:1032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6084
-
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:4640
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:4588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2760
-
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4368
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:5320
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:3336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:1300
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:1588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:3796
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:5752
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:1328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4664
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:1404
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:2412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:2036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:5392
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:5056
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:3020
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:5468
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:4460
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:940
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:5316
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:1436
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:5664
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:2308
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4144
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:628
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:4928
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:5320
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:5704
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:1844
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:4944
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4684
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4168
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4464
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:4796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5336
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:1160
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2544
-
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:5088
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:1228
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:4760
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4252
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4860
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:4040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5668
-
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4932
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:6104
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:4324
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:5508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5028
-
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1404
-
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:2732
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:5804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:3284
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:5812
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:2204
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:3468
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:3332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3384
-
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe .1⤵PID:3536
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\zwhavidukxouzbthl.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:5424
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:5636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5776
-
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:5264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:2988
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:3656
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4384
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:2284
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:428
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1868
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:656
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:4024
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:2500
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:1480
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:2232
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:2596
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:4516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:1564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5976
-
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4760
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:4252
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:4924
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3320
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:5952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:420
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:5160
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:4296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3284
-
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2504
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:2376
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:4944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1700
-
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2036
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:5260
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:5432
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:1100
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5196
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:4020
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .1⤵PID:2060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe .2⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\soyqkwqgvhxcghyl.exe*."3⤵PID:124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5904
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:2492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5460
-
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:2716
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:2628
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:2080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:3568
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe1⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:2012
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:1592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:3020
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:2824
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:4372
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe1⤵PID:5796
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:1188
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:3864
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3184
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:6108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:4028
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:452
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:416
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:5636
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:6120
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:3812
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:628
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:3232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe .1⤵PID:5072
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\soyqkwqgvhxcghyl.exe*."3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:5412
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:5500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:1028
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe1⤵PID:5372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5156
-
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:3872
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:4888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:5624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6072
-
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:3672
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:3616
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:5768
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tsfaxmjcujckrvpflvx.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exeC:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe2⤵PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:4388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exeC:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .2⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\zwhavidukxouzbthl.exe*."3⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe1⤵PID:5456
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:5040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1816
-
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:1948
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:4760
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:4252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .1⤵PID:5940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exeC:\Users\Admin\AppData\Local\Temp\gguqoecwpfziqvqhozcc.exe .2⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\gguqoecwpfziqvqhozcc.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exeC:\Users\Admin\AppData\Local\Temp\vwlihyxsmdyirxtltfjkz.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:4112
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gguqoecwpfziqvqhozcc.exe .1⤵PID:3084
-
C:\Windows\gguqoecwpfziqvqhozcc.exegguqoecwpfziqvqhozcc.exe .2⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\gguqoecwpfziqvqhozcc.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe1⤵PID:2364
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:4144
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\vwlihyxsmdyirxtltfjkz.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exeC:\Users\Admin\AppData\Local\Temp\tsfaxmjcujckrvpflvx.exe .2⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tsfaxmjcujckrvpflvx.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe2⤵PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\igsmiwskbphouxqfkt.exe .2⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\igsmiwskbphouxqfkt.exe*."3⤵PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:2164
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igsmiwskbphouxqfkt.exe .1⤵PID:5328
-
C:\Windows\igsmiwskbphouxqfkt.exeigsmiwskbphouxqfkt.exe .2⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\igsmiwskbphouxqfkt.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c soyqkwqgvhxcghyl.exe1⤵PID:2328
-
C:\Windows\soyqkwqgvhxcghyl.exesoyqkwqgvhxcghyl.exe2⤵PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zwhavidukxouzbthl.exe1⤵PID:3468
-
C:\Windows\zwhavidukxouzbthl.exezwhavidukxouzbthl.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vwlihyxsmdyirxtltfjkz.exe .1⤵PID:1184
-
C:\Windows\vwlihyxsmdyirxtltfjkz.exevwlihyxsmdyirxtltfjkz.exe .2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tsfaxmjcujckrvpflvx.exe .1⤵PID:3984
-
C:\Windows\tsfaxmjcujckrvpflvx.exetsfaxmjcujckrvpflvx.exe .2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\soyqkwqgvhxcghyl.exe1⤵PID:4868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zwhavidukxouzbthl.exe .1⤵PID:5020
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD543afc6d1a6a683709021fbafc77cd7f3
SHA13b4da58e3c9a7fcd87ac021b5ad14a3773dd5c4e
SHA256d64603088955d9ea71d4f906b8951a24f3959637ad7b0be462ddf6a7de8daa30
SHA5121b2492d0937f0ec5d4d00c471592ac19b3acd5aa61e29db22025e4efd11fd82010d18b3ff70730d13a294f43ee8c4462b818e0dadcd24f556c9e992afe298d78
-
Filesize
280B
MD5002e4b1a8ae758b06c71a7d9f9451428
SHA1049a198d52d8d92084fcaabf079ec6484104f1c3
SHA25684dbaab5ddb02343acc3a02f70b2e755472fd5ef0391a1c92ead908c51b43954
SHA51271aacaa79dc8acfa652e6fbfb02fdfdf41b271bc8937f0709fc323137e1907b22c1a01c4998270ba2f854bf66c83d420341da46585f2fb92fca62f3f030af5bd
-
Filesize
280B
MD5d2894cf8e0dd16faa08c5c431b2efbe3
SHA147b0b36488440e54ae7276255f933e70b8096d25
SHA2562efaf56fc0ad3e14e02a4e57b3ca2b78e172bd15b50314098e81941fe9ee5067
SHA51227088ad25d945ddd1cf6278fbe37639a9d966b5f3263adf70007c6cf9646a73e415c9ab1461212769855660e7cd4269d3844e096321becd93dce8e6ba239ee0d
-
Filesize
280B
MD50064b1e543614428260afcf09333a74c
SHA16038991e73532986e87b4f332f9e2dc36620986e
SHA25693011c74311c020052de3001d678f35becf21477d7b6ab9d3db181542e7d9551
SHA5125466adb2fc5b2905a17b1d5190302d0d1bfebd17bcafb09217f2fb176abe7911059b5ac919d30b67c159f7221cba13d1c78fcbbb91e1816829073d2bd0ace29a
-
Filesize
280B
MD5fc0fcf09dcde29edf9b9096d7b306abf
SHA1d29eb55d96d010e6936f55e1d228bb347960f545
SHA25696014a65d61fc857a1e394f066a46ab941cbbcd20e8866e2cd01e9b579099c4a
SHA51222cbc101d379c7948d0741a7784a19cd3e77c3500756ab6996fe5481135bf036de4196e1fabeddb7abf3f19506bf0837ca7d81d0a97b4e9e19452d570edacd8d
-
Filesize
280B
MD5e34af927ee40e94a82ee17915a7295fa
SHA1e3f50e55118e43cb2cc962e6bb21245998536c22
SHA256ab23591d523f69555811ce8f8d08c0364b668901f0ab622073d5be86d8d19865
SHA5122c4c674ff5020bb31f4487b1a9a89b8a4f169314f523da86147c69f1f955d679a23573aeb720839bb5cb4e37a36ef1d688f0742bf8d16ae76c91732f1628d6e8
-
Filesize
320KB
MD5e417a08af652a452f7d11c105d31e115
SHA1d14c6d2f80595d9e8ce0fcd95e9fde907ef2bb5f
SHA2562b7ccee1ae4a47bcf3689fd64d3787a05bcf132a369274fea722a1f7c4ed1bcf
SHA5120bf0135e476ced49d6bc6bee1b90f775af6a26c2b047bf808d4a8b2005151d86480f38922ecb3fe82832f6fa9feb7ad693a1af1e89a2518e5159e1e24bdf075d
-
Filesize
720KB
MD5c8399f5e5f048cb6e38300019b14b00c
SHA177e57a0c2302525cbbf1be055778cff5f4f6e40f
SHA25626b2dff7988792e884416bf89fe810d79ce1f4e39cb928d3360ba4a8f308aa0e
SHA512c94d5d2ccf7dddff4a25a1d8d11f0d9f28e508997a87f520e8b3a4e77cfedd0bc154e670685e0bb33ab00a629b47afc8dac74ac69bbda84282e8deb72277d74a
-
Filesize
4KB
MD5028ef4278ee435cea688b89d2b90d8c8
SHA1b988ef5124fc7875fd0d207d4f321c31780cd925
SHA256134a8f46afe2e00dd5b5f28b4142d87afb8eedc765e15f0beced16fac8d98d9d
SHA512a7d3d16e4cbda1cdcbe7eac1314324b2b086c80467c3e65bd7cd7e3e77a910b2b8bef427dffc906d093232ee0394bad69d6ead0509fdad78a692b49e1bd4634e
-
Filesize
280B
MD530b7a9069c1e515ff927cb9a2a4bb466
SHA1af077b575d54549e5f1733779ac4ff5fc8731eab
SHA2569e08cfca9cd51c1f49aff162b5a8f68a5763778025009e4ff68fe89afb1920aa
SHA512bd101e821f20c8cc022a52b00de4f0a85f7f206ca5ee2fc2a1be67a7542b93a625d2f34f9015d8bab9992a023aa24e365a665f6361d43a5f9821ebcea3e13baa
-
Filesize
968KB
MD5bbd7b871140426c0f77e65b9c18dbcf1
SHA1f107fdc5b346882994efb09ba63b85e696679e4d
SHA2562e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
SHA512c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322