Analysis
-
max time kernel
53s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe
-
Size
952KB
-
MD5
bd0b66050d49b213e682c9f3dbddd4f4
-
SHA1
3e6dc7c446dc88cd3b9aa237c8d4836bff134a18
-
SHA256
36f7aefe30f8fdda2c6a568efa39ed27bd09956fc7123a034285cf8e5f0d91a7
-
SHA512
7d0b3e9d573564d7d937b9ec83f21682a692c5ddb3797b155866b7620ecfebd6d2e444ab6d5a3f17b0d15a2db6af11f84aedfc93671c68d239cd2236c3b75ffa
-
SSDEEP
12288:7maNhOPnxBnHkapLjTn/rhlUy1WZyDYilDLvxtJzzxHs0oPYJaf4DbC:7CBnHZpLHrtW8nvzKT+u
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cpptclrxmzz.exe -
Pykspa family
-
UAC bypass 3 TTPs 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x003400000002adc3-4.dat family_pykspa behavioral2/files/0x001900000002b128-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "zpmyxnhatxsamduiwka.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "ylfokxoeuvnsbpdo.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mpzykn = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe" cpptclrxmzz.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdmkv.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdmkv.exe Set value (int) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdmkv.exe -
Executes dropped EXE 64 IoCs
pid Process 1684 cpptclrxmzz.exe 5536 mdboofauotpyldvkzofd.exe 4788 zpmyxnhatxsamduiwka.exe 5080 cpptclrxmzz.exe 5144 zpmyxnhatxsamduiwka.exe 1448 btsghzvqlroymfyoeumlz.exe 2284 cpptclrxmzz.exe 2316 mdboofauotpyldvkzofd.exe 5336 odzkixqiadxepfvivi.exe 3116 cpptclrxmzz.exe 2976 btsghzvqlroymfyoeumlz.exe 3288 zpmyxnhatxsamduiwka.exe 2584 cpptclrxmzz.exe 4464 bdmkv.exe 5920 bdmkv.exe 2792 odzkixqiadxepfvivi.exe 5960 btsghzvqlroymfyoeumlz.exe 5764 ftoyvjbsjlekujykw.exe 648 cpptclrxmzz.exe 1992 ylfokxoeuvnsbpdo.exe 5804 btsghzvqlroymfyoeumlz.exe 2968 mdboofauotpyldvkzofd.exe 940 cpptclrxmzz.exe 1408 zpmyxnhatxsamduiwka.exe 4992 mdboofauotpyldvkzofd.exe 1828 cpptclrxmzz.exe 1488 btsghzvqlroymfyoeumlz.exe 4296 mdboofauotpyldvkzofd.exe 2120 mdboofauotpyldvkzofd.exe 2312 ylfokxoeuvnsbpdo.exe 4996 cpptclrxmzz.exe 4192 ylfokxoeuvnsbpdo.exe 5560 ftoyvjbsjlekujykw.exe 3724 odzkixqiadxepfvivi.exe 4692 cpptclrxmzz.exe 4548 ylfokxoeuvnsbpdo.exe 4544 cpptclrxmzz.exe 3668 cpptclrxmzz.exe 1080 odzkixqiadxepfvivi.exe 3112 ylfokxoeuvnsbpdo.exe 4936 cpptclrxmzz.exe 4948 ftoyvjbsjlekujykw.exe 5052 cpptclrxmzz.exe 5020 odzkixqiadxepfvivi.exe 4556 ylfokxoeuvnsbpdo.exe 5332 cpptclrxmzz.exe 2388 odzkixqiadxepfvivi.exe 2352 cpptclrxmzz.exe 5480 ftoyvjbsjlekujykw.exe 4520 mdboofauotpyldvkzofd.exe 3116 cpptclrxmzz.exe 5884 ylfokxoeuvnsbpdo.exe 4856 zpmyxnhatxsamduiwka.exe 2844 cpptclrxmzz.exe 5916 odzkixqiadxepfvivi.exe 2932 ftoyvjbsjlekujykw.exe 5272 zpmyxnhatxsamduiwka.exe 224 ylfokxoeuvnsbpdo.exe 348 cpptclrxmzz.exe 1876 mdboofauotpyldvkzofd.exe 388 btsghzvqlroymfyoeumlz.exe 2572 odzkixqiadxepfvivi.exe 1032 cpptclrxmzz.exe 768 cpptclrxmzz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bdmkv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bdmkv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bdmkv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bdmkv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bdmkv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bdmkv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "mdboofauotpyldvkzofd.exe ." bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "zpmyxnhatxsamduiwka.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "zpmyxnhatxsamduiwka.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "btsghzvqlroymfyoeumlz.exe" bdmkv.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "ftoyvjbsjlekujykw.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "odzkixqiadxepfvivi.exe" bdmkv.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "ylfokxoeuvnsbpdo.exe ." bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "ftoyvjbsjlekujykw.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "zpmyxnhatxsamduiwka.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "zpmyxnhatxsamduiwka.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpmyxnhatxsamduiwka.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "btsghzvqlroymfyoeumlz.exe ." bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\flyapvfox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odzkixqiadxepfvivi.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "ylfokxoeuvnsbpdo.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "btsghzvqlroymfyoeumlz.exe ." bdmkv.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "btsghzvqlroymfyoeumlz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "btsghzvqlroymfyoeumlz.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "odzkixqiadxepfvivi.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe" bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "ylfokxoeuvnsbpdo.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "zpmyxnhatxsamduiwka.exe ." bdmkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stby = "odzkixqiadxepfvivi.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "ylfokxoeuvnsbpdo.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\stby = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\zdoobfn = "ftoyvjbsjlekujykw.exe" cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "odzkixqiadxepfvivi.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bdmkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdboofauotpyldvkzofd.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\otfguziq = "zpmyxnhatxsamduiwka.exe ." cpptclrxmzz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yftwmteoyt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btsghzvqlroymfyoeumlz.exe" cpptclrxmzz.exe -
Checks whether UAC is enabled 1 TTPs 52 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cpptclrxmzz.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bdmkv.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyipaddress.com 1 www.showmyipaddress.com 1 www.whatismyip.ca 1 whatismyip.everdot.org 4 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf bdmkv.exe File created F:\autorun.inf bdmkv.exe File opened for modification C:\autorun.inf bdmkv.exe File created C:\autorun.inf bdmkv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe bdmkv.exe File opened for modification C:\Windows\SysWOW64\qbtaufuiwvlovhtclufxeyjymazpszlxgpyj.icn bdmkv.exe File created C:\Windows\SysWOW64\qbtaufuiwvlovhtclufxeyjymazpszlxgpyj.icn bdmkv.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\SysWOW64\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\llsoxxbehvasopqomkkrnwwad.uzr bdmkv.exe File created C:\Program Files (x86)\llsoxxbehvasopqomkkrnwwad.uzr bdmkv.exe File opened for modification C:\Program Files (x86)\qbtaufuiwvlovhtclufxeyjymazpszlxgpyj.icn bdmkv.exe File created C:\Program Files (x86)\qbtaufuiwvlovhtclufxeyjymazpszlxgpyj.icn bdmkv.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe bdmkv.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe bdmkv.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe bdmkv.exe File opened for modification C:\Windows\llsoxxbehvasopqomkkrnwwad.uzr bdmkv.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe bdmkv.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe bdmkv.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\btsghzvqlroymfyoeumlz.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\mdboofauotpyldvkzofd.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe bdmkv.exe File created C:\Windows\llsoxxbehvasopqomkkrnwwad.uzr bdmkv.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\ylfokxoeuvnsbpdo.exe cpptclrxmzz.exe File opened for modification C:\Windows\odzkixqiadxepfvivi.exe bdmkv.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe bdmkv.exe File opened for modification C:\Windows\zpmyxnhatxsamduiwka.exe cpptclrxmzz.exe File opened for modification C:\Windows\ftoyvjbsjlekujykw.exe cpptclrxmzz.exe File opened for modification C:\Windows\sllacvsokrpapjdulcvvkm.exe cpptclrxmzz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpptclrxmzz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odzkixqiadxepfvivi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdboofauotpyldvkzofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btsghzvqlroymfyoeumlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftoyvjbsjlekujykw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpmyxnhatxsamduiwka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ylfokxoeuvnsbpdo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 4464 bdmkv.exe 4464 bdmkv.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 4464 bdmkv.exe 4464 bdmkv.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4464 bdmkv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5792 wrote to memory of 1684 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 79 PID 5792 wrote to memory of 1684 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 79 PID 5792 wrote to memory of 1684 5792 JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe 79 PID 5964 wrote to memory of 5536 5964 cmd.exe 82 PID 5964 wrote to memory of 5536 5964 cmd.exe 82 PID 5964 wrote to memory of 5536 5964 cmd.exe 82 PID 4880 wrote to memory of 4788 4880 cmd.exe 85 PID 4880 wrote to memory of 4788 4880 cmd.exe 85 PID 4880 wrote to memory of 4788 4880 cmd.exe 85 PID 4788 wrote to memory of 5080 4788 zpmyxnhatxsamduiwka.exe 86 PID 4788 wrote to memory of 5080 4788 zpmyxnhatxsamduiwka.exe 86 PID 4788 wrote to memory of 5080 4788 zpmyxnhatxsamduiwka.exe 86 PID 5056 wrote to memory of 5144 5056 cmd.exe 89 PID 5056 wrote to memory of 5144 5056 cmd.exe 89 PID 5056 wrote to memory of 5144 5056 cmd.exe 89 PID 5648 wrote to memory of 1448 5648 cmd.exe 92 PID 5648 wrote to memory of 1448 5648 cmd.exe 92 PID 5648 wrote to memory of 1448 5648 cmd.exe 92 PID 1448 wrote to memory of 2284 1448 btsghzvqlroymfyoeumlz.exe 97 PID 1448 wrote to memory of 2284 1448 btsghzvqlroymfyoeumlz.exe 97 PID 1448 wrote to memory of 2284 1448 btsghzvqlroymfyoeumlz.exe 97 PID 6064 wrote to memory of 2316 6064 cmd.exe 98 PID 6064 wrote to memory of 2316 6064 cmd.exe 98 PID 6064 wrote to memory of 2316 6064 cmd.exe 98 PID 2036 wrote to memory of 5336 2036 cmd.exe 99 PID 2036 wrote to memory of 5336 2036 cmd.exe 99 PID 2036 wrote to memory of 5336 2036 cmd.exe 99 PID 5336 wrote to memory of 3116 5336 odzkixqiadxepfvivi.exe 100 PID 5336 wrote to memory of 3116 5336 odzkixqiadxepfvivi.exe 100 PID 5336 wrote to memory of 3116 5336 odzkixqiadxepfvivi.exe 100 PID 2056 wrote to memory of 2976 2056 cmd.exe 103 PID 2056 wrote to memory of 2976 2056 cmd.exe 103 PID 2056 wrote to memory of 2976 2056 cmd.exe 103 PID 2464 wrote to memory of 3288 2464 cmd.exe 106 PID 2464 wrote to memory of 3288 2464 cmd.exe 106 PID 2464 wrote to memory of 3288 2464 cmd.exe 106 PID 3288 wrote to memory of 2584 3288 zpmyxnhatxsamduiwka.exe 107 PID 3288 wrote to memory of 2584 3288 zpmyxnhatxsamduiwka.exe 107 PID 3288 wrote to memory of 2584 3288 zpmyxnhatxsamduiwka.exe 107 PID 1684 wrote to memory of 4464 1684 cpptclrxmzz.exe 108 PID 1684 wrote to memory of 4464 1684 cpptclrxmzz.exe 108 PID 1684 wrote to memory of 4464 1684 cpptclrxmzz.exe 108 PID 1684 wrote to memory of 5920 1684 cpptclrxmzz.exe 109 PID 1684 wrote to memory of 5920 1684 cpptclrxmzz.exe 109 PID 1684 wrote to memory of 5920 1684 cpptclrxmzz.exe 109 PID 232 wrote to memory of 2792 232 cmd.exe 112 PID 232 wrote to memory of 2792 232 cmd.exe 112 PID 232 wrote to memory of 2792 232 cmd.exe 112 PID 2260 wrote to memory of 5960 2260 cmd.exe 117 PID 2260 wrote to memory of 5960 2260 cmd.exe 117 PID 2260 wrote to memory of 5960 2260 cmd.exe 117 PID 2684 wrote to memory of 5764 2684 cmd.exe 118 PID 2684 wrote to memory of 5764 2684 cmd.exe 118 PID 2684 wrote to memory of 5764 2684 cmd.exe 118 PID 5764 wrote to memory of 648 5764 ftoyvjbsjlekujykw.exe 123 PID 5764 wrote to memory of 648 5764 ftoyvjbsjlekujykw.exe 123 PID 5764 wrote to memory of 648 5764 ftoyvjbsjlekujykw.exe 123 PID 544 wrote to memory of 1992 544 cmd.exe 125 PID 544 wrote to memory of 1992 544 cmd.exe 125 PID 544 wrote to memory of 1992 544 cmd.exe 125 PID 5984 wrote to memory of 5804 5984 cmd.exe 129 PID 5984 wrote to memory of 5804 5984 cmd.exe 129 PID 5984 wrote to memory of 5804 5984 cmd.exe 129 PID 1708 wrote to memory of 2968 1708 cmd.exe 133 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bdmkv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cpptclrxmzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cpptclrxmzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bdmkv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bdmkv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bd0b66050d49b213e682c9f3dbddd4f4.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\bdmkv.exe"C:\Users\Admin\AppData\Local\Temp\bdmkv.exe" "-C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\bdmkv.exe"C:\Users\Admin\AppData\Local\Temp\bdmkv.exe" "-C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5964 -
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵
- Executes dropped EXE
PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵
- Executes dropped EXE
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵
- Executes dropped EXE
PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵
- Executes dropped EXE
PID:2284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵
- Executes dropped EXE
PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵
- Executes dropped EXE
PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵
- Executes dropped EXE
PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵
- Executes dropped EXE
PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- Executes dropped EXE
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵
- Executes dropped EXE
PID:940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5984 -
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵
- Executes dropped EXE
PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- Executes dropped EXE
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:3308
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵
- Executes dropped EXE
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2788
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- Executes dropped EXE
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵
- Executes dropped EXE
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵
- Executes dropped EXE
PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵
- Executes dropped EXE
PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵
- Executes dropped EXE
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵
- Executes dropped EXE
PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵
- Executes dropped EXE
PID:5560 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵
- Executes dropped EXE
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵
- Executes dropped EXE
PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵
- Executes dropped EXE
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:4144
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵
- Executes dropped EXE
PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:2016
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵
- Executes dropped EXE
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:4272
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵
- Executes dropped EXE
PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:2864
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵
- Executes dropped EXE
PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵
- Executes dropped EXE
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵
- Executes dropped EXE
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵
- Executes dropped EXE
PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- Executes dropped EXE
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:3508
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵
- Executes dropped EXE
PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:1528
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:1556
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵
- Executes dropped EXE
PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:1916
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵
- Executes dropped EXE
PID:348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4128
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵
- Executes dropped EXE
PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵
- Executes dropped EXE
PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Executes dropped EXE
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:4836
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵
- Executes dropped EXE
PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:4864
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵
- Executes dropped EXE
PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:3616
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:1268
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:544
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1872
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:3156
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:5576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:4656
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5060
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4556
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:4552
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:2856
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:3568
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:1900
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:6124
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:5900
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:3852
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3336
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:6116
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:3904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:1792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:5580
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:4232
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4400
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2108
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:4892
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:4004
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:5876
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:5324
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:6128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:3976
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5960
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:3380
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:276
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3852
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:2392
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:6116
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:4712
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:4632
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:5912
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2516
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:3732
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:2748
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:4928
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1160
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:1776
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:3000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3872
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:4164
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1040
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:5520
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:3516
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:5352
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:2548
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:5048
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:860
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:4684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5112
-
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4984
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3788
-
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:5876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:5816
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5252
-
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4452
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:5916
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:4836
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:648
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1700
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:5756
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:5012
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:3340
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:2400
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:1708
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:2748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1228
-
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3716
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:4852
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:2412
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:3372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:1448
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:5884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:1828
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:3504
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:3940
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:3608
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:2932
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:5780
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:768
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:5212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:3184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6104
-
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:3216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:660 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:2452
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:892
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:4896
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:4080
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:4984
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5424
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:5076
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:2984
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:4300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:4536
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:3364
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:2440
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2076
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:2548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:660
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:840
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:1488
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:3028
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:4140
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:5568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5716
-
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5540
-
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:1768
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:5764
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:2208
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:1592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:916
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:1432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3412
-
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:5284
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5040
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1424
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:1556
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:4940
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:1704
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:4608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2992
-
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:3308
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:5776
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:5944
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5696
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:5860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4864
-
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:5580
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:5832
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:6140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5908
-
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:6076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4800
-
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:1228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4976
-
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:2128
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:5064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:4644
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:2864
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:2476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:1300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:3100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5876
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3168
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:3976
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1840
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:3460
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:3336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5888
-
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:892
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:5784
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:2748
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:3112
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1448
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:4416
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:2964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1592
-
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:6120
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1976
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:4644
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:5496
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:1176
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:1500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:5148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:1992
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:3516
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:3904
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:5856
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:1188
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:1004
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:908
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:2256
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:2388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5480
-
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1228
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:4520
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:5584
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:2976
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:448
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe .1⤵PID:4004
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe .2⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ylfokxoeuvnsbpdo.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:348
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:4172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1164
-
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:4132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe1⤵PID:1812
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:5724
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:1040
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:1500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3108
-
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\zpmyxnhatxsamduiwka.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe1⤵PID:1560
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe2⤵PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:720
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:5212
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2352
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe .2⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mdboofauotpyldvkzofd.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ylfokxoeuvnsbpdo.exe1⤵PID:6052
-
C:\Windows\ylfokxoeuvnsbpdo.exeylfokxoeuvnsbpdo.exe2⤵PID:2476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe .1⤵PID:3664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3952
-
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe .2⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\zpmyxnhatxsamduiwka.exe*."3⤵PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:5252
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mdboofauotpyldvkzofd.exe .1⤵PID:2272
-
C:\Windows\mdboofauotpyldvkzofd.exemdboofauotpyldvkzofd.exe .2⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mdboofauotpyldvkzofd.exe*."3⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe"C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe" "-C:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exe"4⤵PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe"C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe" "-C:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exe"4⤵PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe"C:\Users\Admin\AppData\Local\Temp\xakxbkl.exe" "-C:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exe"4⤵PID:3416
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exeC:\Users\Admin\AppData\Local\Temp\btsghzvqlroymfyoeumlz.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavticomyqvpwhxnan.exe1⤵PID:5936
-
C:\Windows\mavticomyqvpwhxnan.exemavticomyqvpwhxnan.exe2⤵PID:2584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqkhvozwhycvblapb.exe .1⤵PID:4524
-
C:\Windows\dqkhvozwhycvblapb.exedqkhvozwhycvblapb.exe .2⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\dqkhvozwhycvblapb.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xmihxsferkqltfwnbpb.exe1⤵PID:5148
-
C:\Windows\xmihxsferkqltfwnbpb.exexmihxsferkqltfwnbpb.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mavticomyqvpwhxnan.exe .1⤵PID:2260
-
C:\Windows\mavticomyqvpwhxnan.exemavticomyqvpwhxnan.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\mavticomyqvpwhxnan.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe1⤵PID:5508
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe2⤵PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xmihxsferkqltfwnbpb.exe1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\xmihxsferkqltfwnbpb.exeC:\Users\Admin\AppData\Local\Temp\xmihxsferkqltfwnbpb.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exeC:\Users\Admin\AppData\Local\Temp\wibxkcmisildirft.exe .2⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\wibxkcmisildirft.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe .1⤵PID:796
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe .2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\ftoyvjbsjlekujykw.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ftoyvjbsjlekujykw.exe1⤵PID:2376
-
C:\Windows\ftoyvjbsjlekujykw.exeftoyvjbsjlekujykw.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exe1⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exe2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:4696
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exeC:\Users\Admin\AppData\Local\Temp\mavticomyqvpwhxnan.exe .2⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\mavticomyqvpwhxnan.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe1⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exeC:\Users\Admin\AppData\Local\Temp\mdboofauotpyldvkzofd.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:792
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe .2⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ftoyvjbsjlekujykw.exe*."3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:3524
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odzkixqiadxepfvivi.exe .1⤵PID:5860
-
C:\Windows\odzkixqiadxepfvivi.exeodzkixqiadxepfvivi.exe .2⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\odzkixqiadxepfvivi.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zpmyxnhatxsamduiwka.exe1⤵PID:1728
-
C:\Windows\zpmyxnhatxsamduiwka.exezpmyxnhatxsamduiwka.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c btsghzvqlroymfyoeumlz.exe .1⤵PID:5176
-
C:\Windows\btsghzvqlroymfyoeumlz.exebtsghzvqlroymfyoeumlz.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\windows\btsghzvqlroymfyoeumlz.exe*."3⤵PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exeC:\Users\Admin\AppData\Local\Temp\zpmyxnhatxsamduiwka.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exeC:\Users\Admin\AppData\Local\Temp\ylfokxoeuvnsbpdo.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\ylfokxoeuvnsbpdo.exe*."3⤵PID:892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exeC:\Users\Admin\AppData\Local\Temp\ftoyvjbsjlekujykw.exe2⤵PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exeC:\Users\Admin\AppData\Local\Temp\odzkixqiadxepfvivi.exe .2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe"C:\Users\Admin\AppData\Local\Temp\cpptclrxmzz.exe" "c:\users\admin\appdata\local\temp\odzkixqiadxepfvivi.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kaxxokyymgnjsfxpetgw.exe1⤵PID:1780
-
C:\Windows\kaxxokyymgnjsfxpetgw.exekaxxokyymgnjsfxpetgw.exe2⤵PID:1888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dqkhvozwhycvblapb.exe .1⤵PID:5396
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5e010762f703df24fd612bea538b06c9b
SHA1add8886e095bec92adff8a5d4ed6b1c507d83c45
SHA25667842116bcbe701c6368a7746b3e6d2866f2fadc32bf1493ee69d07a7f47292f
SHA512797cd3c4ecf18cd5bc85cb1bf1b9388967754098d3ac893bb980fa26149c04f26856b713eca155ee4846940cf1c94264627bc1e14da97e665012f5c101a005ce
-
Filesize
280B
MD529f1f6e3868734ffbd9babbd02be8b13
SHA1b179f4c219efa64c7312df7efd1f429601d7e17f
SHA25692f85e00b7bcd17c365cea4d59db53f6e0b50004a4ba2588b18f24338a4c2d7c
SHA5121600adec41a727211e2a166b6d0eed961890fa257511c565f7cfa33113ab9a88cfc1f2fa8411e21029a75d07e65efd529e186ad3a0908c6c5df4eaa59de03284
-
Filesize
280B
MD520789a45f97cd972405be04ccf4695a2
SHA1cdfcb5b5419a161af265813a0df1506240dd85be
SHA2566bcac48f5ad06877459ecadc2b997cd7b3665c11c12b361a7054a692f4bdb1d5
SHA512f71aa339ecf4bdfdf6e20fb41e2639365a1c0be556deb2742b94ac55b100d3c4780ff40fb9d8c8c3a42980f4c121b2a03bb7e3db82ec47d017d1b06f518ae600
-
Filesize
280B
MD55538f6bdc08b44cf3f7272d016ba8384
SHA1f5e73994a8c03dc1ba51fd58d411772a84fe3b86
SHA25645920b74b3a8252e0cd24f6e5b078d4ee67e27d10e21c5c17faf5be2b57a27bd
SHA51286cc6793533b2c6d4cc1a05a058eeaf98f6e73beb6c6c7263709630e7547c871f443a15321002d2d343a16bbbfa2acd32bbc9f551847891c3531c32ba71ae1c0
-
Filesize
280B
MD5b64b48960b2a7440e915fd482552768a
SHA1ede3542d60622cf4bdf50b4baf31937155c7e911
SHA256e0241377f12979e4260f1293060d9a130e76272fe03c3dcf5beed1263c909b8a
SHA512da6430cd70d2c6192d6fa670ed3bd7b25652c8c1caed19e4258f3925256ea8aa63888b308e8b5fb8aec7a02d515db7132cd27407243ea07df4b245125edfaa90
-
Filesize
280B
MD56ce56e32e7e82f732c963b7573ab0948
SHA12bcc6b2c30d88d370db9f5d5b881da1d19278a58
SHA256688bdb4bd634eb62a981ed45cca9df4fcf40b59fd0fa1155732c883c7c69588b
SHA5124866ed85293bbceb1dda1a915c59b6fd82c048f1bb4a40277f4728fed82a3b22ffa57ace1d1080a8a9c60881b9952a27bda14763845e3f8d956a4c93a8f6d384
-
Filesize
280B
MD5961e20c0afe4e8fc7592ad3bcbcd8603
SHA1fcdeb5c06bc3f21239568eca71c9b8f83d171394
SHA2565de52411c43416f99d86220324ccff2efc5e2f33c9cf68d128bf422c4703fcf7
SHA512f4fd51bd0845ae9aa73f12a7403ca9c53f51aa2eb5c3e7ea301befff956d212b76aedc7a762e8c6815fd1ac3b65385c0088421681f6623fec9947a5410f32335
-
Filesize
692KB
MD526b6b6241a89e767f3ec1a5b7dc53c0c
SHA18c0aa7286ee9bd03ca57d4738a2a0f3532dfac78
SHA256512ed7fa66a3fc5b6835e9d06116d47455723d9710cdd4a1689a8a426630c247
SHA51290a15bf41aea1d4ed920f6b204930bb9d3cc16e437270a32c42f1abe940ef747d5178703724c46e20c125d7bc1ba2e35934c73b61004e0eec4079f46f965626f
-
Filesize
320KB
MD5f05247bae2f7e2befdebd7d8382063dc
SHA1e9ddb54fe5f9e6c118cbb805fedaeb279c275f54
SHA256f0f87759bf34ead91d50f10084c3c923038f63664b5addc0ef2d537064ce200f
SHA512acf4c6fa42b5843d0f41a0e64a78d26fffb7170051179a20cd0c6b38a6227d42f24abd2ddd5b1915c0d45d9d3c9fd4db5b21cf4c32b3219903fc6d323f5e0b51
-
Filesize
280B
MD555e890492ab332696ccbb371a5cc9f11
SHA16e0c7bb57ec997a441e9955edb33a934da43b4eb
SHA256b64f01af5d4c445e8ce049a098838cfadf87efecd596bd070d21d193a4a42e2c
SHA51249239990a55cfa8de2d81d537cb30108584c5df3645950a049ca6aed332a27c716ca0062ebf7e348b4d0e8e361ddcb7458d2972d9818f294ebc7d8f62508e4d6
-
Filesize
4KB
MD5d49a1dfe4144826cc7cfa8bf684ca76b
SHA1a9b83f92e5174d11f481ae0410d35630a9b942ff
SHA25648f639d73e37e291bcb50cd55f4179dd1da693b5e244033d3050bbcdc4bb14d5
SHA512fd37d6b40e4a391bed5e8edfaea5d7f91aec8e872bcb03a0c71ab10f6f1b47a5a1486c966bc7c6f534ad9abae67eac7c83f6e3fa2f93b5a99ce26abc61e418b0
-
Filesize
952KB
MD5bd0b66050d49b213e682c9f3dbddd4f4
SHA13e6dc7c446dc88cd3b9aa237c8d4836bff134a18
SHA25636f7aefe30f8fdda2c6a568efa39ed27bd09956fc7123a034285cf8e5f0d91a7
SHA5127d0b3e9d573564d7d937b9ec83f21682a692c5ddb3797b155866b7620ecfebd6d2e444ab6d5a3f17b0d15a2db6af11f84aedfc93671c68d239cd2236c3b75ffa