Analysis
-
max time kernel
54s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 02:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
-
Size
488KB
-
MD5
bc2c2e6019e42289641123c2db3584dc
-
SHA1
e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
-
SHA256
9223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
-
SHA512
f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b
-
SSDEEP
6144:tto07dgp0+5+ylPtRIQdS6VjKQ8tQYtagbr4rPYyUQTB2I/51pftDKHpDbU69SWX:jo07g+aP5KR5EJUQTB2OfDKC7WccSop
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe -
Pykspa family
-
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000a00000002a929-4.dat family_pykspa behavioral1/files/0x001c00000002b0f9-80.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfsevhulzhjzcj = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfpymvfteji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhlow.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhlow.exe -
Executes dropped EXE 64 IoCs
pid Process 3316 cpptclrxmzz.exe 4228 xxrkibvtodmjthatjzllf.exe 4848 upeslzohxhldirft.exe 4892 cpptclrxmzz.exe 5116 khyojzqldpvpwhxnan.exe 3964 khyojzqldpvpwhxnan.exe 3388 cpptclrxmzz.exe 900 upeslzohxhldirft.exe 3672 upeslzohxhldirft.exe 436 cpptclrxmzz.exe 3300 vtlcyphdwjqltfwnbpz.exe 4244 vtlcyphdwjqltfwnbpz.exe 2044 cpptclrxmzz.exe 5216 xhlow.exe 2312 xhlow.exe 3140 bxncwlbvmxcvblapb.exe 5824 bxncwlbvmxcvblapb.exe 2028 bxncwlbvmxcvblapb.exe 2992 cpptclrxmzz.exe 3472 ihasphaxrfnjsfxpeted.exe 1480 cpptclrxmzz.exe 2736 upeslzohxhldirft.exe 5820 xxrkibvtodmjthatjzllf.exe 3692 bxncwlbvmxcvblapb.exe 3260 vtlcyphdwjqltfwnbpz.exe 5132 xxrkibvtodmjthatjzllf.exe 5568 cpptclrxmzz.exe 5656 xxrkibvtodmjthatjzllf.exe 6008 cpptclrxmzz.exe 5644 vtlcyphdwjqltfwnbpz.exe 4792 vtlcyphdwjqltfwnbpz.exe 5456 cpptclrxmzz.exe 2644 cpptclrxmzz.exe 3040 upeslzohxhldirft.exe 3188 khyojzqldpvpwhxnan.exe 3252 bxncwlbvmxcvblapb.exe 2732 cpptclrxmzz.exe 1776 ihasphaxrfnjsfxpeted.exe 5960 cpptclrxmzz.exe 5188 ihasphaxrfnjsfxpeted.exe 568 xxrkibvtodmjthatjzllf.exe 2692 cpptclrxmzz.exe 5296 upeslzohxhldirft.exe 4804 vtlcyphdwjqltfwnbpz.exe 5012 xxrkibvtodmjthatjzllf.exe 4448 cpptclrxmzz.exe 440 upeslzohxhldirft.exe 3748 cpptclrxmzz.exe 5196 ihasphaxrfnjsfxpeted.exe 5092 xxrkibvtodmjthatjzllf.exe 1712 cpptclrxmzz.exe 4412 vtlcyphdwjqltfwnbpz.exe 4244 vtlcyphdwjqltfwnbpz.exe 5620 cpptclrxmzz.exe 5040 ihasphaxrfnjsfxpeted.exe 5124 bxncwlbvmxcvblapb.exe 708 upeslzohxhldirft.exe 6136 vtlcyphdwjqltfwnbpz.exe 3140 xxrkibvtodmjthatjzllf.exe 1684 xxrkibvtodmjthatjzllf.exe 2164 cpptclrxmzz.exe 1480 cpptclrxmzz.exe 4444 ihasphaxrfnjsfxpeted.exe 6092 vtlcyphdwjqltfwnbpz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xhlow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xhlow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xhlow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xhlow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xhlow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xhlow.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "bxncwlbvmxcvblapb.exe ." xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe ." xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "upeslzohxhldirft.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "xxrkibvtodmjthatjzllf.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "xxrkibvtodmjthatjzllf.exe ." xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "vtlcyphdwjqltfwnbpz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "vtlcyphdwjqltfwnbpz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "ihasphaxrfnjsfxpeted.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "xxrkibvtodmjthatjzllf.exe ." xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "upeslzohxhldirft.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "vtlcyphdwjqltfwnbpz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "khyojzqldpvpwhxnan.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "xxrkibvtodmjthatjzllf.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "xxrkibvtodmjthatjzllf.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldpaqbndqxynp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe ." xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upeslzohxhldirft = "khyojzqldpvpwhxnan.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "khyojzqldpvpwhxnan.exe" xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "khyojzqldpvpwhxnan.exe" xhlow.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe ." xhlow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "upeslzohxhldirft.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khyojzqldpvpwhxnan.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxncwlbvmxcvblapb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upeslzohxhldirft.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxrkibvtodmjthatjzllf.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtlcyphdwjqltfwnbpz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\khyojzqldpvpwhxnan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdoynxixjppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihasphaxrfnjsfxpeted.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjxkcpdvktwnrzm = "bxncwlbvmxcvblapb.exe" cpptclrxmzz.exe -
Checks whether UAC is enabled 1 TTPs 54 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xhlow.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xhlow.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.everdot.org 1 www.showmyipaddress.com 1 whatismyip.everdot.org 1 www.whatismyip.ca 3 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf xhlow.exe File created C:\autorun.inf xhlow.exe File opened for modification F:\autorun.inf xhlow.exe File created F:\autorun.inf xhlow.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe xhlow.exe File opened for modification C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe xhlow.exe File created C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe xhlow.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\upeslzohxhldirft.exe xhlow.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe xhlow.exe File opened for modification C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe xhlow.exe File created C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe xhlow.exe File created C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe xhlow.exe File opened for modification C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\upeslzohxhldirft.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\SysWOW64\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde xhlow.exe File created C:\Program Files (x86)\zffeihhlmhwzpjihdzrxxwa.zde xhlow.exe File opened for modification C:\Program Files (x86)\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct xhlow.exe File created C:\Program Files (x86)\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct xhlow.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File created C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\opkedxsrndnlwlfzqhuvqk.exe xhlow.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe xhlow.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe xhlow.exe File opened for modification C:\Windows\opkedxsrndnlwlfzqhuvqk.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe xhlow.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File created C:\Windows\vtlcyphdwjqltfwnbpz.exe cpptclrxmzz.exe File opened for modification C:\Windows\bxncwlbvmxcvblapb.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File created C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe xhlow.exe File opened for modification C:\Windows\upeslzohxhldirft.exe xhlow.exe File created C:\Windows\mdoynxixjppdejtdkrulwgvfqfrxxlmrbl.zct xhlow.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\upeslzohxhldirft.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File created C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe File opened for modification C:\Windows\khyojzqldpvpwhxnan.exe xhlow.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe xhlow.exe File opened for modification C:\Windows\vtlcyphdwjqltfwnbpz.exe xhlow.exe File opened for modification C:\Windows\xxrkibvtodmjthatjzllf.exe cpptclrxmzz.exe File opened for modification C:\Windows\ihasphaxrfnjsfxpeted.exe cpptclrxmzz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihasphaxrfnjsfxpeted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpptclrxmzz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihasphaxrfnjsfxpeted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihasphaxrfnjsfxpeted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ihasphaxrfnjsfxpeted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upeslzohxhldirft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khyojzqldpvpwhxnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxncwlbvmxcvblapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlcyphdwjqltfwnbpz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrkibvtodmjthatjzllf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5216 xhlow.exe 5216 xhlow.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5216 xhlow.exe 5216 xhlow.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5216 xhlow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 3316 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 78 PID 3728 wrote to memory of 3316 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 78 PID 3728 wrote to memory of 3316 3728 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 78 PID 3812 wrote to memory of 4228 3812 cmd.exe 81 PID 3812 wrote to memory of 4228 3812 cmd.exe 81 PID 3812 wrote to memory of 4228 3812 cmd.exe 81 PID 776 wrote to memory of 4848 776 cmd.exe 84 PID 776 wrote to memory of 4848 776 cmd.exe 84 PID 776 wrote to memory of 4848 776 cmd.exe 84 PID 4848 wrote to memory of 4892 4848 upeslzohxhldirft.exe 85 PID 4848 wrote to memory of 4892 4848 upeslzohxhldirft.exe 85 PID 4848 wrote to memory of 4892 4848 upeslzohxhldirft.exe 85 PID 5500 wrote to memory of 5116 5500 cmd.exe 88 PID 5500 wrote to memory of 5116 5500 cmd.exe 88 PID 5500 wrote to memory of 5116 5500 cmd.exe 88 PID 4964 wrote to memory of 3964 4964 cmd.exe 91 PID 4964 wrote to memory of 3964 4964 cmd.exe 91 PID 4964 wrote to memory of 3964 4964 cmd.exe 91 PID 3964 wrote to memory of 3388 3964 khyojzqldpvpwhxnan.exe 94 PID 3964 wrote to memory of 3388 3964 khyojzqldpvpwhxnan.exe 94 PID 3964 wrote to memory of 3388 3964 khyojzqldpvpwhxnan.exe 94 PID 2016 wrote to memory of 900 2016 cmd.exe 95 PID 2016 wrote to memory of 900 2016 cmd.exe 95 PID 2016 wrote to memory of 900 2016 cmd.exe 95 PID 2472 wrote to memory of 3672 2472 cmd.exe 98 PID 2472 wrote to memory of 3672 2472 cmd.exe 98 PID 2472 wrote to memory of 3672 2472 cmd.exe 98 PID 3672 wrote to memory of 436 3672 upeslzohxhldirft.exe 99 PID 3672 wrote to memory of 436 3672 upeslzohxhldirft.exe 99 PID 3672 wrote to memory of 436 3672 upeslzohxhldirft.exe 99 PID 5052 wrote to memory of 3300 5052 cmd.exe 102 PID 5052 wrote to memory of 3300 5052 cmd.exe 102 PID 5052 wrote to memory of 3300 5052 cmd.exe 102 PID 5460 wrote to memory of 4244 5460 cmd.exe 105 PID 5460 wrote to memory of 4244 5460 cmd.exe 105 PID 5460 wrote to memory of 4244 5460 cmd.exe 105 PID 4244 wrote to memory of 2044 4244 vtlcyphdwjqltfwnbpz.exe 106 PID 4244 wrote to memory of 2044 4244 vtlcyphdwjqltfwnbpz.exe 106 PID 4244 wrote to memory of 2044 4244 vtlcyphdwjqltfwnbpz.exe 106 PID 3316 wrote to memory of 5216 3316 cpptclrxmzz.exe 107 PID 3316 wrote to memory of 5216 3316 cpptclrxmzz.exe 107 PID 3316 wrote to memory of 5216 3316 cpptclrxmzz.exe 107 PID 3316 wrote to memory of 2312 3316 cpptclrxmzz.exe 108 PID 3316 wrote to memory of 2312 3316 cpptclrxmzz.exe 108 PID 3316 wrote to memory of 2312 3316 cpptclrxmzz.exe 108 PID 3432 wrote to memory of 3140 3432 cmd.exe 213 PID 3432 wrote to memory of 3140 3432 cmd.exe 213 PID 3432 wrote to memory of 3140 3432 cmd.exe 213 PID 5692 wrote to memory of 5824 5692 cmd.exe 114 PID 5692 wrote to memory of 5824 5692 cmd.exe 114 PID 5692 wrote to memory of 5824 5692 cmd.exe 114 PID 3936 wrote to memory of 2028 3936 cmd.exe 117 PID 3936 wrote to memory of 2028 3936 cmd.exe 117 PID 3936 wrote to memory of 2028 3936 cmd.exe 117 PID 2028 wrote to memory of 2992 2028 bxncwlbvmxcvblapb.exe 120 PID 2028 wrote to memory of 2992 2028 bxncwlbvmxcvblapb.exe 120 PID 2028 wrote to memory of 2992 2028 bxncwlbvmxcvblapb.exe 120 PID 3712 wrote to memory of 3472 3712 cmd.exe 121 PID 3712 wrote to memory of 3472 3712 cmd.exe 121 PID 3712 wrote to memory of 3472 3712 cmd.exe 121 PID 3472 wrote to memory of 1480 3472 ihasphaxrfnjsfxpeted.exe 226 PID 3472 wrote to memory of 1480 3472 ihasphaxrfnjsfxpeted.exe 226 PID 3472 wrote to memory of 1480 3472 ihasphaxrfnjsfxpeted.exe 226 PID 1600 wrote to memory of 2736 1600 cmd.exe 129 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhlow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xhlow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xhlow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bc2c2e6019e42289641123c2db3584dc.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\xhlow.exe"C:\Users\Admin\AppData\Local\Temp\xhlow.exe" "-C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\xhlow.exe"C:\Users\Admin\AppData\Local\Temp\xhlow.exe" "-C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵
- Executes dropped EXE
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Executes dropped EXE
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵
- Executes dropped EXE
PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:2044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵
- Executes dropped EXE
PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5692 -
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵
- Executes dropped EXE
PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵
- Executes dropped EXE
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵
- Executes dropped EXE
PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵
- Executes dropped EXE
PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:1476
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵
- Executes dropped EXE
PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:460
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- Executes dropped EXE
PID:5820 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵
- Executes dropped EXE
PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵
- Executes dropped EXE
PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3796
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵
- Executes dropped EXE
PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵
- Executes dropped EXE
PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵
- Executes dropped EXE
PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵
- Executes dropped EXE
PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:3572
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵
- Executes dropped EXE
PID:5188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:3556
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:568 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:5832
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵
- Executes dropped EXE
PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3108
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:4448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵
- Executes dropped EXE
PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- Executes dropped EXE
PID:440 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Executes dropped EXE
PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵
- Executes dropped EXE
PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:4384
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵
- Executes dropped EXE
PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2468
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1856
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:2372
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵
- Executes dropped EXE
PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4920
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵
- Executes dropped EXE
PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:3592
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵
- Executes dropped EXE
PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:1968
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Executes dropped EXE
PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:3136
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵
- Executes dropped EXE
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:5344
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵
- Executes dropped EXE
PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:688
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:5640
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:1004
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:5580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:5612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5232
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:4624
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:3392
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:4224
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:3376
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:4384
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:3496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5620
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2008
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1764
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:5688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5656
-
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1940
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:928
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:1976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5332
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:5716
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:2796
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:1196
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:5832
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:4188
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:5000
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3748
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:5392
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2984
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:764 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:2008
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6136
-
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:4532
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:1468
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:3348
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:4200
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:2188
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:5632
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:2364
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:4652
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:3116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:2264
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:5240
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:5796
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:4088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:3748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:4624
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:2268
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:1608
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:8
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:1824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:2648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:1764
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2168
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:5436
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:5856
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:3892
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:3016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5536
-
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4740
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:3052
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:4152
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:1948
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:4888
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:2208
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4444
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:2180
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:4336
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:2040
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:5828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:1468
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3708
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:5636
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:3568
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:2020
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:5112
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:6112
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:5764
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:4360
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:4188
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:1948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:3496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:4296
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:6124
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:1700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:3752
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5040
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:1472
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:2004
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:4552
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3744
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:3708
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:1648
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1776
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:4776
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:6096
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2508
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:5928
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:3880
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:6068
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:4444
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1636
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:3184
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2532
-
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:4700
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:1004
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:2892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5976
-
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:5556
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:2680
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:2876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2352
-
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:2136
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:5100
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:3596
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:1640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:3580
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3332
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:4244
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:3140
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:4212
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:2536
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:2060
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:1896
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:5628
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:6012
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:1928
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:5612
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:3952
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:5224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:4820
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:2692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5816
-
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:3460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1392
-
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:5764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3120
-
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:3348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:5040
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:2292
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:5252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3332
-
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:4244
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:3372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:3316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1160
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:4276
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:2720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1824
-
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:336
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:3536
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc1⤵PID:4908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:1848
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:2680
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:872
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:5128
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:1228
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:5800
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:4700
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2776
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:1700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:2132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5616
-
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:5328
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:2172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4256
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:5424
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:5692
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:1796
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4176
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:4552
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:8
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵PID:568
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe1⤵PID:648
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:1816
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:3672
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:3456
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khyojzqldpvpwhxnan.exe .1⤵PID:5156
-
C:\Windows\khyojzqldpvpwhxnan.exekhyojzqldpvpwhxnan.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\khyojzqldpvpwhxnan.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:5240
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:5620
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1228
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:4248
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:3284
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:1384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:2748
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:1712
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5952
-
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:1028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5304
-
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\bxncwlbvmxcvblapb.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe1⤵PID:2436
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:2948
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:1640
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:5092
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:1980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe1⤵PID:2872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1288
-
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe .2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:700
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3040
-
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:1620
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:3488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:2348
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe1⤵PID:5416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:400
-
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .1⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exeC:\Users\Admin\AppData\Local\Temp\ihasphaxrfnjsfxpeted.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:4624
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:3968
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe1⤵PID:1104
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxncwlbvmxcvblapb.exe .1⤵PID:6108
-
C:\Windows\bxncwlbvmxcvblapb.exebxncwlbvmxcvblapb.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\bxncwlbvmxcvblapb.exe*."3⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:2436
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe .1⤵PID:5436
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe .2⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\xxrkibvtodmjthatjzllf.exe*."3⤵PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe1⤵PID:5236
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe .1⤵PID:2456
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe .2⤵PID:240
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\vtlcyphdwjqltfwnbpz.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exeC:\Users\Admin\AppData\Local\Temp\xxrkibvtodmjthatjzllf.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\xxrkibvtodmjthatjzllf.exe*."3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:1148
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:960
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xxrkibvtodmjthatjzllf.exe1⤵PID:744
-
C:\Windows\xxrkibvtodmjthatjzllf.exexxrkibvtodmjthatjzllf.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ihasphaxrfnjsfxpeted.exe .1⤵PID:5240
-
C:\Windows\ihasphaxrfnjsfxpeted.exeihasphaxrfnjsfxpeted.exe .2⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ihasphaxrfnjsfxpeted.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exeC:\Users\Admin\AppData\Local\Temp\bxncwlbvmxcvblapb.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exeC:\Users\Admin\AppData\Local\Temp\upeslzohxhldirft.exe .2⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\upeslzohxhldirft.exe*."3⤵PID:4640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exeC:\Users\Admin\AppData\Local\Temp\vtlcyphdwjqltfwnbpz.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\khyojzqldpvpwhxnan.exe .2⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\khyojzqldpvpwhxnan.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:6112
-
C:\Windows\vtlcyphdwjqltfwnbpz.exevtlcyphdwjqltfwnbpz.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upeslzohxhldirft.exe .1⤵PID:2860
-
C:\Windows\upeslzohxhldirft.exeupeslzohxhldirft.exe .2⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\upeslzohxhldirft.exe*."3⤵PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vtlcyphdwjqltfwnbpz.exe1⤵PID:5984
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268B
MD50ee4af88f3c036e3b76bfc83f8f7fd1f
SHA1e789703df384220cae6bab7684c304ebb2e1a747
SHA256e4948840ebcacaf4b6045d14c59a7ae5fcbc70abe183f30045471c46841d16f2
SHA5126ff8625d80a577e2a5e89ecb329131846ac2ba3ccbd08276c0b1dabd451a13521a01f1bf8bb938152f9144c76771ad0f66b5aa6e4d88bb183f4c679e4a50e189
-
Filesize
268B
MD536392fbe08c320940b4a4aeaed19e3e4
SHA13730f90dbf8abb4ae2a5937a5d454a4b91c7d1ac
SHA2562d0cca52b2ada05139e3f5eb60b0b78f72d6e61badaaf8a2e269bc146e249ad9
SHA512ae7a98cb22bc4f9b9f5f259a40d8fb41b48c7f71cebbb1c1c115130309bd166cf4a335b09e995761f5dd4bc41ab5a1a688f2a364037ce368250010482d26f34f
-
Filesize
268B
MD5b33e4009b719dd61c556b158d8ef1598
SHA15f849e561fc50286612272bd4408b6c1353fdfc6
SHA256f99d6bfd04b5580c3ad7a957c7d8feeaa11c8070ad40f042f011e954eb07a768
SHA512074742bdd935f85be7b0a965be3bc632a9d94dd1bed3d54bb03caf9c25bacbc9c70285039e264512a4603986459a5b31c27194f44b75b23fd4ee46380a3124f5
-
Filesize
268B
MD5227e0c98b78b343def1d94bc4acc5717
SHA113a4746f84c2e2c0b2976c498e5c4cb70595b7e5
SHA2565392a1d0266c93aaf53dc384010613df5f1eaae8ae40dcfaaff50ccfe9ed2950
SHA5126b1214b68d77f1ebff9fd5f00690af3e66dcbccfbc368ea67545cdd887f0163ec29dfa30d2b4651f93eeafdce30c295f04e37df3d3234b70003e763dd5542e0f
-
Filesize
268B
MD57553a4af237b1578eb0984271a014ede
SHA1f23e03f2c4b6aa920510fe2f2ce4bfda4d5566e1
SHA2565a61ffa3e8b8077c239016c5f3972223ad0bd213a77d25f040df195347cf50fb
SHA51209b6d26e8351858fdc8af2ddb470cca8d5595cdd75f782290e6a4da3851a20dfa2ac0bb61fce79fe3177ef92ada80e578ce2ab173429c00e887953183fdbbc72
-
Filesize
268B
MD5a3e80efffbf6f549000f73476ca5c6d7
SHA1014eddc8e864470586fd7afda4694f18a43b8156
SHA2563647b25829180f0c21e2250d825f2910cbe406939b06d714b67d7e2c1cc1ab69
SHA51267e333cceeb9f23261a2bda7a3509acded9b8c5272ee27c9deca6a5265e448ebe109a0299aa9592b031545b54a5f8e4aea91f4cce87e62268a23b8e10421a377
-
Filesize
268B
MD529c30b18a8ce5b40e1ec77f6c6e8630e
SHA1f0cde68cca7bfd1f03267311be540ee38b5c0fdd
SHA256da358a30ff67b0aa5f1a71490998e67bfa7dd93193a0bc2b28b38c4ec665df69
SHA5121869d9b24776b2a4a74cab203e9fb9ca80240b61d74606be8dcd9d755aba4209c81f7c134377ed98118d05695bc8d7d5e8a908016d7625ba35be312361e491b6
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c442b4dc-a191-4123-8209-426d502b68cb.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize24KB
MD5e7e18cfc1d9e536faebe167b2c15b299
SHA1911f0bb79fc64c482613b723421fcb2c8689d022
SHA25689030c4a1c78ff197092b529f8710a701bc70fc02a3de9bd375e6d336dad6ed1
SHA512c338473f5ee75faaf8b210958d38daa6265468b3f65af80179aab99f620d4f111fc397c1f4a893134d0a4b99f62ae86246101879b44a52f4051c9ef1a0dcb91e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize23KB
MD542443383f62b4750f5e4077aaddacb6e
SHA1c3311fdca3d0fad525f1f3bdf2816e8b2d9e0241
SHA256b4f6bed52b8b56e5480846fb48fc25b03e024bdb96888e9b1e2b5c2bd56cad06
SHA5122e4a12c65c46a6c24cc1bbd5c91ed96acbd1a5b47661bec32b7fe556cb52084ecb3122f079768dfabc75c2738b0c1f9a600c40c3e00c304d66223a2403892643
-
Filesize
320KB
MD588a3d7432ff5d5cee011047d7a3acb16
SHA19c5b95142911b292dc75e120545949a1dca72d12
SHA256fa10ed2990ca760fb82fc16facf3d805f1a12ee3a8e5a723844cc1a0e3b88fcb
SHA5123d0ff8fe2113ddb3f94bb4f041d7005e11681e4c912ce55f486722adef62df1bd36332fb489a2d61632980ba1f5a60dd8ef71697b21f199611b6010da3ca2147
-
Filesize
700KB
MD5050d1ee9cbfc5f72000529f3a4776249
SHA16442833d4ef39884ae20bfdf8af2a0d7efc5b5c9
SHA256c0b6e1bcf47dcbb23f3ce069786811e581705ed950b153b4d4b7072d23b439de
SHA5129f47575a25d5404d8c4ebc7febd9d7e5bb3fb4f1c9ced6e96f891cce76e142aac1887283a704c640ce9e139e9e37f8c70b6e8fe75931a14f0a9499bacc82b4be
-
Filesize
3KB
MD5c7d93a9cefc105b004ebac40a8488522
SHA16e5513dc85b3c05ce488206ae294e111e24a490a
SHA25651c7614f6a6ac16a2f8a98955713f9b48d4ac90d23c9727ebce68ea23d401728
SHA512f4353baaa9daa23c7b865553d77daa35499a7055593f237fe75e5781e170722da2fa7450d6fa3144b3dc2c19098049ac48de8dfeaca80abc06f7a56cb062078d
-
Filesize
268B
MD52717133da12415438e7eba5fef20521c
SHA1affa49ccaebb3111cac2111d301bcb5f008ef2bf
SHA2569e00fd4ee2aa1ef5804525c8cd8848b301c0ee829002743665ab2ab4d3bb94bf
SHA5127b6ef305e774e46cc8c812d7ef3459ef1f9f5b324db8b4ee0d2b7e1e0db089f26892b9c44ec8eb061655d120a28f1403fb6a994bb6db01c744508caf24a78c8b
-
Filesize
488KB
MD5bc2c2e6019e42289641123c2db3584dc
SHA1e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
SHA2569223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
SHA512f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b