Analysis
-
max time kernel
54s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
-
Size
488KB
-
MD5
bc2c2e6019e42289641123c2db3584dc
-
SHA1
e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
-
SHA256
9223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
-
SHA512
f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b
-
SSDEEP
6144:tto07dgp0+5+ylPtRIQdS6VjKQ8tQYtagbr4rPYyUQTB2I/51pftDKHpDbU69SWX:jo07g+aP5KR5EJUQTB2OfDKC7WccSop
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe -
Pykspa family
-
UAC bypass 3 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000600000002a8d5-4.dat family_pykspa behavioral2/files/0x001c00000002b16d-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "xozukuoavijdvvyp.exe" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgvuocaqpgljfjqlqmhc.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "awmmhwvmmekjgltpvsoka.exe" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwzmuwim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sekalqfmckg = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lstekk.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lstekk.exe -
Executes dropped EXE 64 IoCs
pid Process 2132 apcxvhdqkzm.exe 4952 ysgexkhwukolgjpjnic.exe 5064 ewievgbokyavoptln.exe 2480 apcxvhdqkzm.exe 5524 ngtqiuqebqtpjlqjmg.exe 3200 ysgexkhwukolgjpjnic.exe 1076 ngtqiuqebqtpjlqjmg.exe 540 apcxvhdqkzm.exe 4804 ewievgbokyavoptln.exe 4268 apcxvhdqkzm.exe 5420 ngtqiuqebqtpjlqjmg.exe 1564 lgvuocaqpgljfjqlqmhc.exe 5396 apcxvhdqkzm.exe 5100 lstekk.exe 3612 lstekk.exe 1240 ewievgbokyavoptln.exe 4484 lgvuocaqpgljfjqlqmhc.exe 4644 lgvuocaqpgljfjqlqmhc.exe 1348 apcxvhdqkzm.exe 2068 ngtqiuqebqtpjlqjmg.exe 2024 awmmhwvmmekjgltpvsoka.exe 3100 apcxvhdqkzm.exe 928 ngtqiuqebqtpjlqjmg.exe 5548 apcxvhdqkzm.exe 5972 ngtqiuqebqtpjlqjmg.exe 1992 ewievgbokyavoptln.exe 1488 ysgexkhwukolgjpjnic.exe 844 ewievgbokyavoptln.exe 2176 apcxvhdqkzm.exe 5192 ngtqiuqebqtpjlqjmg.exe 5660 apcxvhdqkzm.exe 6016 ewievgbokyavoptln.exe 5884 lgvuocaqpgljfjqlqmhc.exe 4504 apcxvhdqkzm.exe 2508 lgvuocaqpgljfjqlqmhc.exe 4632 apcxvhdqkzm.exe 5620 lgvuocaqpgljfjqlqmhc.exe 5304 lgvuocaqpgljfjqlqmhc.exe 4688 apcxvhdqkzm.exe 956 awmmhwvmmekjgltpvsoka.exe 5024 ysgexkhwukolgjpjnic.exe 2196 apcxvhdqkzm.exe 5064 xozukuoavijdvvyp.exe 5604 awmmhwvmmekjgltpvsoka.exe 5048 ngtqiuqebqtpjlqjmg.exe 1960 apcxvhdqkzm.exe 4500 ewievgbokyavoptln.exe 4980 apcxvhdqkzm.exe 3924 xozukuoavijdvvyp.exe 1632 awmmhwvmmekjgltpvsoka.exe 3604 apcxvhdqkzm.exe 4100 ysgexkhwukolgjpjnic.exe 2960 lgvuocaqpgljfjqlqmhc.exe 1160 awmmhwvmmekjgltpvsoka.exe 3884 apcxvhdqkzm.exe 6012 xozukuoavijdvvyp.exe 3852 xozukuoavijdvvyp.exe 5184 ewievgbokyavoptln.exe 2720 xozukuoavijdvvyp.exe 4032 apcxvhdqkzm.exe 1620 xozukuoavijdvvyp.exe 3156 apcxvhdqkzm.exe 3452 awmmhwvmmekjgltpvsoka.exe 5584 awmmhwvmmekjgltpvsoka.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lstekk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lstekk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lstekk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lstekk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lstekk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lstekk.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe ." lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe" lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "lgvuocaqpgljfjqlqmhc.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "awmmhwvmmekjgltpvsoka.exe" lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ewievgbokyavoptln.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "xozukuoavijdvvyp.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "awmmhwvmmekjgltpvsoka.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ngtqiuqebqtpjlqjmg.exe ." lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe ." lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "awmmhwvmmekjgltpvsoka.exe ." lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ewievgbokyavoptln.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ysgexkhwukolgjpjnic.exe ." lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "ysgexkhwukolgjpjnic.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "xozukuoavijdvvyp.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "ysgexkhwukolgjpjnic.exe" lstekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ewievgbokyavoptln.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ockcpwnwoywnc = "xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pengucuexihzpn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ysgexkhwukolgjpjnic.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "ysgexkhwukolgjpjnic.exe ." lstekk.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgvuocaqpgljfjqlqmhc.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "awmmhwvmmekjgltpvsoka.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xozukuoavijdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\eosgpsfky = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewievgbokyavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "ngtqiuqebqtpjlqjmg.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xincmqekzg = "xozukuoavijdvvyp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sismbkdoiuunedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngtqiuqebqtpjlqjmg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcjamsiqhqnd = "xozukuoavijdvvyp.exe" apcxvhdqkzm.exe -
Checks whether UAC is enabled 1 TTPs 56 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lstekk.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyip.everdot.org 1 whatismyipaddress.com 3 www.whatismyip.ca 6 www.showmyipaddress.com 8 www.whatismyip.ca 11 whatismyip.everdot.org 11 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ewievgbokyavoptln.exe lstekk.exe File created C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe lstekk.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe lstekk.exe File opened for modification C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe lstekk.exe File opened for modification C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe lstekk.exe File opened for modification C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe lstekk.exe File created C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\pengucuexihzpnodcshwfymumwpazrhfgvuk.oxq lstekk.exe File opened for modification C:\Windows\SysWOW64\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ewievgbokyavoptln.exe lstekk.exe File opened for modification C:\Windows\SysWOW64\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\komuxubaiiwdivlpdimqowzwd.kky lstekk.exe File created C:\Program Files (x86)\komuxubaiiwdivlpdimqowzwd.kky lstekk.exe File opened for modification C:\Program Files (x86)\pengucuexihzpnodcshwfymumwpazrhfgvuk.oxq lstekk.exe File created C:\Program Files (x86)\pengucuexihzpnodcshwfymumwpazrhfgvuk.oxq lstekk.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File created C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File created C:\Windows\komuxubaiiwdivlpdimqowzwd.kky lstekk.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe lstekk.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File created C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe lstekk.exe File opened for modification C:\Windows\xozukuoavijdvvyp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ysgexkhwukolgjpjnic.exe apcxvhdqkzm.exe File opened for modification C:\Windows\rofgcssklelljpyvcaxulm.exe apcxvhdqkzm.exe File opened for modification C:\Windows\lgvuocaqpgljfjqlqmhc.exe apcxvhdqkzm.exe File opened for modification C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File created C:\Windows\awmmhwvmmekjgltpvsoka.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ewievgbokyavoptln.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ngtqiuqebqtpjlqjmg.exe apcxvhdqkzm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtqiuqebqtpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtqiuqebqtpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtqiuqebqtpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngtqiuqebqtpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgvuocaqpgljfjqlqmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgvuocaqpgljfjqlqmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lstekk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgvuocaqpgljfjqlqmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysgexkhwukolgjpjnic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgvuocaqpgljfjqlqmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awmmhwvmmekjgltpvsoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewievgbokyavoptln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xozukuoavijdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lgvuocaqpgljfjqlqmhc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5100 lstekk.exe 5100 lstekk.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5100 lstekk.exe 5100 lstekk.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5100 lstekk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2132 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 79 PID 2980 wrote to memory of 2132 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 79 PID 2980 wrote to memory of 2132 2980 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 79 PID 1528 wrote to memory of 4952 1528 cmd.exe 82 PID 1528 wrote to memory of 4952 1528 cmd.exe 82 PID 1528 wrote to memory of 4952 1528 cmd.exe 82 PID 3268 wrote to memory of 5064 3268 cmd.exe 85 PID 3268 wrote to memory of 5064 3268 cmd.exe 85 PID 3268 wrote to memory of 5064 3268 cmd.exe 85 PID 5064 wrote to memory of 2480 5064 ewievgbokyavoptln.exe 86 PID 5064 wrote to memory of 2480 5064 ewievgbokyavoptln.exe 86 PID 5064 wrote to memory of 2480 5064 ewievgbokyavoptln.exe 86 PID 4904 wrote to memory of 5524 4904 cmd.exe 89 PID 4904 wrote to memory of 5524 4904 cmd.exe 89 PID 4904 wrote to memory of 5524 4904 cmd.exe 89 PID 4556 wrote to memory of 3200 4556 cmd.exe 93 PID 4556 wrote to memory of 3200 4556 cmd.exe 93 PID 4556 wrote to memory of 3200 4556 cmd.exe 93 PID 4040 wrote to memory of 1076 4040 cmd.exe 95 PID 4040 wrote to memory of 1076 4040 cmd.exe 95 PID 4040 wrote to memory of 1076 4040 cmd.exe 95 PID 3200 wrote to memory of 540 3200 ysgexkhwukolgjpjnic.exe 96 PID 3200 wrote to memory of 540 3200 ysgexkhwukolgjpjnic.exe 96 PID 3200 wrote to memory of 540 3200 ysgexkhwukolgjpjnic.exe 96 PID 4816 wrote to memory of 4804 4816 cmd.exe 99 PID 4816 wrote to memory of 4804 4816 cmd.exe 99 PID 4816 wrote to memory of 4804 4816 cmd.exe 99 PID 4804 wrote to memory of 4268 4804 ewievgbokyavoptln.exe 100 PID 4804 wrote to memory of 4268 4804 ewievgbokyavoptln.exe 100 PID 4804 wrote to memory of 4268 4804 ewievgbokyavoptln.exe 100 PID 6076 wrote to memory of 5420 6076 cmd.exe 103 PID 6076 wrote to memory of 5420 6076 cmd.exe 103 PID 6076 wrote to memory of 5420 6076 cmd.exe 103 PID 5152 wrote to memory of 1564 5152 cmd.exe 106 PID 5152 wrote to memory of 1564 5152 cmd.exe 106 PID 5152 wrote to memory of 1564 5152 cmd.exe 106 PID 1564 wrote to memory of 5396 1564 lgvuocaqpgljfjqlqmhc.exe 107 PID 1564 wrote to memory of 5396 1564 lgvuocaqpgljfjqlqmhc.exe 107 PID 1564 wrote to memory of 5396 1564 lgvuocaqpgljfjqlqmhc.exe 107 PID 2132 wrote to memory of 5100 2132 apcxvhdqkzm.exe 108 PID 2132 wrote to memory of 5100 2132 apcxvhdqkzm.exe 108 PID 2132 wrote to memory of 5100 2132 apcxvhdqkzm.exe 108 PID 2132 wrote to memory of 3612 2132 apcxvhdqkzm.exe 109 PID 2132 wrote to memory of 3612 2132 apcxvhdqkzm.exe 109 PID 2132 wrote to memory of 3612 2132 apcxvhdqkzm.exe 109 PID 3040 wrote to memory of 1240 3040 cmd.exe 112 PID 3040 wrote to memory of 1240 3040 cmd.exe 112 PID 3040 wrote to memory of 1240 3040 cmd.exe 112 PID 5940 wrote to memory of 4484 5940 cmd.exe 117 PID 5940 wrote to memory of 4484 5940 cmd.exe 117 PID 5940 wrote to memory of 4484 5940 cmd.exe 117 PID 1112 wrote to memory of 4644 1112 cmd.exe 118 PID 1112 wrote to memory of 4644 1112 cmd.exe 118 PID 1112 wrote to memory of 4644 1112 cmd.exe 118 PID 4644 wrote to memory of 1348 4644 lgvuocaqpgljfjqlqmhc.exe 217 PID 4644 wrote to memory of 1348 4644 lgvuocaqpgljfjqlqmhc.exe 217 PID 4644 wrote to memory of 1348 4644 lgvuocaqpgljfjqlqmhc.exe 217 PID 1620 wrote to memory of 2068 1620 cmd.exe 124 PID 1620 wrote to memory of 2068 1620 cmd.exe 124 PID 1620 wrote to memory of 2068 1620 cmd.exe 124 PID 3728 wrote to memory of 2024 3728 cmd.exe 218 PID 3728 wrote to memory of 2024 3728 cmd.exe 218 PID 3728 wrote to memory of 2024 3728 cmd.exe 218 PID 2068 wrote to memory of 3100 2068 ngtqiuqebqtpjlqjmg.exe 128 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lstekk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lstekk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lstekk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bc2c2e6019e42289641123c2db3584dc.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\lstekk.exe"C:\Users\Admin\AppData\Local\Temp\lstekk.exe" "-C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\lstekk.exe"C:\Users\Admin\AppData\Local\Temp\lstekk.exe" "-C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵
- Executes dropped EXE
PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵
- Executes dropped EXE
PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Executes dropped EXE
PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Executes dropped EXE
PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵
- Executes dropped EXE
PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Executes dropped EXE
PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵
- Executes dropped EXE
PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:3076
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵
- Executes dropped EXE
PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:4224
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:5644
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵
- Executes dropped EXE
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵
- Executes dropped EXE
PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Executes dropped EXE
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Executes dropped EXE
PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵
- Executes dropped EXE
PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵
- Executes dropped EXE
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵
- Executes dropped EXE
PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵
- Executes dropped EXE
PID:5304 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Executes dropped EXE
PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:5900
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵
- Executes dropped EXE
PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:5960
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵
- Executes dropped EXE
PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:1040
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:5056
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- Executes dropped EXE
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Executes dropped EXE
PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Executes dropped EXE
PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:1564
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵
- Executes dropped EXE
PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:4124
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Executes dropped EXE
PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:1368
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2228
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵
- Executes dropped EXE
PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:3184
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵
- Executes dropped EXE
PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:1456
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵
- Executes dropped EXE
PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4484
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵
- Executes dropped EXE
PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:5180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:2024
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:5248
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:1704
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:1356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1992
-
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:1816
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:2324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:3332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:2156
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:1116
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:3016
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:4416
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:1664
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:4480
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:776
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:2276
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:5576
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:5748
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:4224
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:1696
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:3752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:4760
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:2660
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:5276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:1856
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:1748
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:4908
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:5164
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:4736
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:1292
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:1908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:5436
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:2100
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:3520
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:1088
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:1508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3644
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:5332
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:4872
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3052
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:5880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:2124
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5068
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:1796
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5552
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:5568
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:4932
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:5708
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:4688
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:996
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:3884
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:4480
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:2524
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:4920
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5916
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5652
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:4224
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:1724
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:3344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5784
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5024
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2156
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:5000
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:5872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:2248
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:3104
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:1196
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:3012
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:4532
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5996
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:4484
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:5888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2256
-
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:4224
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4220
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:1724
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:5712
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5688
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4616
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:5516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5148
-
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:5084
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:4020
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2668
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2960
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:4396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3536
-
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5732
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5636
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:5940
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:3952
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:224 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:5272
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:1352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:880
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:3976
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:1228
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:5900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:3828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3016
-
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:1116
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:2712
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:4352
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:1564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4864
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:1092
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:4020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:2228
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:2960
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:4308
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:1112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:3904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:5660
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:4532
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5680
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:2000
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:1268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:3172
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4752
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5276
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:3332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:3316
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:3048
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:3764
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:5652
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:4936
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:5396
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:1876
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:4676
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:3100
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5900
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4112
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2232
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:2136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3692
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:2024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6004
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:5716
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:2944
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:3332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4372
-
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:2412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5624
-
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:1104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3316
-
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:5488
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5536
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:5868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3696
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:5184
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:5436
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:2960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:648
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:3100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:4232
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:1220
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:3480
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:5552
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:5024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4420
-
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:2828
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:3920
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:2416
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:2320
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:1908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:4568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:1108
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:3376
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:3768
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:3184
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe1⤵PID:2088
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:1012
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:3136
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:5668
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:4696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5588
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5812
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:4700
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:4940
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:4248
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:436
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:3040
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:1700
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe .1⤵PID:644
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe .2⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ewievgbokyavoptln.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:5712
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:576
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5180
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe .1⤵PID:2820
-
C:\Windows\lgvuocaqpgljfjqlqmhc.exelgvuocaqpgljfjqlqmhc.exe .2⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:3004
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:336
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:5192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3728
-
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe1⤵PID:1196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:5916
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe .2⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ysgexkhwukolgjpjnic.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:4956
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:1076
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:2608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:5552
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe .1⤵PID:4700
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe .2⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exeC:\Users\Admin\AppData\Local\Temp\ewievgbokyavoptln.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ewievgbokyavoptln.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:772
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:5772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2348
-
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:3740
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe .1⤵PID:2540
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe .2⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xozukuoavijdvvyp.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe .2⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xozukuoavijdvvyp.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:2556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ewievgbokyavoptln.exe1⤵PID:5832
-
C:\Windows\ewievgbokyavoptln.exeewievgbokyavoptln.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:5216
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ngtqiuqebqtpjlqjmg.exe1⤵PID:1352
-
C:\Windows\ngtqiuqebqtpjlqjmg.exengtqiuqebqtpjlqjmg.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe .1⤵PID:4348
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ysgexkhwukolgjpjnic.exe*."3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exeC:\Users\Admin\AppData\Local\Temp\xozukuoavijdvvyp.exe2⤵PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe"4⤵PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe"4⤵PID:3816
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .1⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exeC:\Users\Admin\AppData\Local\Temp\awmmhwvmmekjgltpvsoka.exe .2⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhbtihxynfljfjqlqmdd.exe1⤵PID:5888
-
C:\Windows\hhbtihxynfljfjqlqmdd.exehhbtihxynfljfjqlqmdd.exe2⤵PID:2244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c utmdrpeesjolgjpjniy.exe .1⤵PID:5324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3200
-
-
C:\Windows\utmdrpeesjolgjpjniy.exeutmdrpeesjolgjpjniy.exe .2⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\utmdrpeesjolgjpjniy.exe*."3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhzpcznmzptpjlqjmg.exe1⤵PID:3964
-
C:\Windows\jhzpcznmzptpjlqjmg.exejhzpcznmzptpjlqjmg.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ysgexkhwukolgjpjnic.exe1⤵PID:5048
-
C:\Windows\ysgexkhwukolgjpjnic.exeysgexkhwukolgjpjnic.exe2⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxslbbsukdkjgltpvsklg.exe .1⤵PID:6112
-
C:\Windows\wxslbbsukdkjgltpvsklg.exewxslbbsukdkjgltpvsklg.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\wxslbbsukdkjgltpvsklg.exe*."3⤵PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exe1⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exeC:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:564
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exe .1⤵PID:3108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exe .2⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\jhzpcznmzptpjlqjmg.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xozukuoavijdvvyp.exe1⤵PID:5504
-
C:\Windows\xozukuoavijdvvyp.exexozukuoavijdvvyp.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awmmhwvmmekjgltpvsoka.exe .1⤵PID:6004
-
C:\Windows\awmmhwvmmekjgltpvsoka.exeawmmhwvmmekjgltpvsoka.exe .2⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\awmmhwvmmekjgltpvsoka.exe*."3⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exeC:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exeC:\Users\Admin\AppData\Local\Temp\ysgexkhwukolgjpjnic.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe .1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exeC:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe .2⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\wxslbbsukdkjgltpvsklg.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exeC:\Users\Admin\AppData\Local\Temp\lgvuocaqpgljfjqlqmhc.exe .2⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\lgvuocaqpgljfjqlqmhc.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .1⤵PID:4364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5124
-
-
C:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\ngtqiuqebqtpjlqjmg.exe .2⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ngtqiuqebqtpjlqjmg.exe*."3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lgvuocaqpgljfjqlqmhc.exe1⤵PID:2880
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268B
MD5341e61c7e1f076c39c5e92ed3d17a9d4
SHA12fb76fd740e370e921c023ad986716e4b50bf971
SHA2561f85144cef6ac30e2069c6f587049fd6a9dc334e0887c386cf64b2d3eaa23f4f
SHA512a2a66242b3861cba74a77ebfe68b8aa26f029c2c975b05191f4abe66518f58e61a20b1dd15152d1eb705d60d6959ab4cc69dd26978059cabd0e88fffd49dc0d7
-
Filesize
268B
MD5a09fe09823cbf8f2b2f7cbdd6c145d53
SHA1c3b3e638ece81959cbbe8689442ec6903f41869b
SHA2565cb1116b3790f7660d05abe2d48596dc71ec231836b5d4a4a2ccef7205d28f39
SHA51265b59012ba14a2a7a1ff1cac19e06e698e57206a008e3a6378554d4a053abc4bc2f3517004b48640bba8c2a545e5aeae8ce1fa85400327da7608003e8c289edc
-
Filesize
268B
MD5beca6599d14614cef223e120cafef033
SHA1983f1fe0b2d6f4f225c5b66811bf067d05a3454b
SHA256dd29ce2a68b7c44b9ada1f4c58641a50014a7ba76a06a6672516170b09c76c8b
SHA512196e91a9aa73b6c32c52acf6bb45c748533798ad106aab149350186b3360371d653e344f10bd9992900f6c30952660e5304b90cf91d8bf9ec4fca95c7f2fac19
-
Filesize
268B
MD526a36d35cfa38ce71a16b51e6ebf8a95
SHA1eb3cd9e420f8e3674347f8e0218946b898d9b8bc
SHA256b0d749485319438ad14b8a872e4126966a15afdbc558c54e338417c73e36cbec
SHA512a6f9341a364defd262cd14769e70b0d1bdf7275d630ee7373337b26b3c03803892ec7cc9abaec2cd594ec07fcbd6c85eb432ed93787d5aebfe7931ea418cb4a0
-
Filesize
268B
MD527a3a2561fce17daf7a2a005eb0fb2b2
SHA18477cbf147b46b9350e5d79fe6445c0847de9d91
SHA256aa99d3a571781d7b4d19f0861a36eb68e536eb46ef408205e3757456d0c01784
SHA512982203f0e41f7a430eb04f15375ff66da7ef8e3a5ee49bfc2da710b744b082cd3cc0de3dcf09ba4d35df5edbe8c9e2c0a968fff6427edfe2591e39aeb221c4ed
-
Filesize
268B
MD5f0f27964321abd49aa5ee267d78f14af
SHA176ad7387cedeeb380ebf9854a090913355a5d78d
SHA256ecb16faa4eec922b1510bfefca65f4edf747cd258a8b6a4b9f9f777a22d2d608
SHA51289fec8322578668954b12f95fb423a7a18852f49e3a54b76609607126130de55219c16cf3b35a8478b9b4d92f7eb22d25e09450f4ba722dd5f88c5e50652039a
-
Filesize
320KB
MD588a3d7432ff5d5cee011047d7a3acb16
SHA19c5b95142911b292dc75e120545949a1dca72d12
SHA256fa10ed2990ca760fb82fc16facf3d805f1a12ee3a8e5a723844cc1a0e3b88fcb
SHA5123d0ff8fe2113ddb3f94bb4f041d7005e11681e4c912ce55f486722adef62df1bd36332fb489a2d61632980ba1f5a60dd8ef71697b21f199611b6010da3ca2147
-
Filesize
700KB
MD5aea48b657074ff550e07304403b29100
SHA1f30b7a5f55e05a64208a31605224aaeaa5bfbd35
SHA25651f255bbf586765c73529235200c9e68de80d46c0e3497f53c6efe5e37ffd396
SHA512958d60a7a4a6d62b7d6cdf77f63923870f1805f3197e1a30114844f5caf60c38ec9c99f95eaae57ce42484ab3da8b4d2543ded5512bbeb35b411c3734033eb4d
-
Filesize
268B
MD5883f35e71c7ad697018a442c856d40dc
SHA1f556f7e4a829af42a8d651174753589a12016f80
SHA2569d9a579820c9b1f6670edc8cdd88c2cc99ec111c21b1e06a469428b888806a87
SHA51286ebf70ea10c36285bcc7e4385187ecee2268c0f69b3d94645a60b742a5c629143b1b1173f3461b94466de80675e7e976d70d33983e8ec1ca4dc08669d9355e7
-
Filesize
3KB
MD5bbcb9c61de2fead078d367999a008d84
SHA1001b25502a0aa4b3b7b1c2aec304df9524d04622
SHA2561b49afffe996a41db1eaa1a28fddec333b134038db07c6cb6920964dfe3d8817
SHA51221bf756dbe6dcf8f10b03a1b2b8cc688970f9576142335cf87b2ed6c5ec99fca5a9541ad6209350c22e031f1c90a6ef4e71425ec57e725a6157918d8138b9099
-
Filesize
488KB
MD5bc2c2e6019e42289641123c2db3584dc
SHA1e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
SHA2569223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
SHA512f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b