Analysis
-
max time kernel
53s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe
-
Size
612KB
-
MD5
bddd16d20828ab7fce7d46416ccf084f
-
SHA1
87067755449ba7bc2cbbf04edae0a03b60e0c91a
-
SHA256
57c85e0a2c34c0e1e6a434194422f6c3a1fd44d66bc1848803fa0421b621fdd7
-
SHA512
350ab8929b2a3bdc27fe8465fb5cd3f28885898fd09a91e884efcd6bfde777b5ed26e1dca9de2fc89ed79efdb276f5713b1c08a0a5b88c8809238e035bd6b425
-
SSDEEP
6144:fmXqNhOPOUFLccF/nHkcPLRFB/fhLeiNruEnOldMrhJ11PUM1nF1WQZmhYCu:fmaNhOPnxBnHkapLjTn/rhlUy1WaA4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe -
Pykspa family
-
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001400000002ac93-4.dat family_pykspa behavioral2/files/0x001900000002b18e-85.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "blbriykevhpkbhqw.exe" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "cpibvodaujusmvhqvrg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "cpibvodaujusmvhqvrg.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "cpibvodaujusmvhqvrg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "blbriykevhpkbhqw.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "etojfarqmdqqmxlwdbshc.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "itkbtkxskxgcublsv.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "itkbtkxskxgcublsv.exe" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbmxjubqcjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tbpdsgqixhngvz = "rdvngymibpzwpxiqup.exe" edint.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edint.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edint.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe -
Executes dropped EXE 64 IoCs
pid Process 3144 gwijnolzqgs.exe 1960 etojfarqmdqqmxlwdbshc.exe 5772 blbriykevhpkbhqw.exe 5392 gwijnolzqgs.exe 4408 pdxrmgwupfrqlvisyvlz.exe 2268 rdvngymibpzwpxiqup.exe 5396 gwijnolzqgs.exe 5076 blbriykevhpkbhqw.exe 4196 rdvngymibpzwpxiqup.exe 5096 gwijnolzqgs.exe 5228 etojfarqmdqqmxlwdbshc.exe 2020 rdvngymibpzwpxiqup.exe 3484 gwijnolzqgs.exe 5924 edint.exe 796 edint.exe 3548 etojfarqmdqqmxlwdbshc.exe 3908 cpibvodaujusmvhqvrg.exe 240 rdvngymibpzwpxiqup.exe 3300 gwijnolzqgs.exe 4588 rdvngymibpzwpxiqup.exe 2524 rdvngymibpzwpxiqup.exe 5524 gwijnolzqgs.exe 1244 rdvngymibpzwpxiqup.exe 3556 pdxrmgwupfrqlvisyvlz.exe 2068 cpibvodaujusmvhqvrg.exe 3388 gwijnolzqgs.exe 1296 itkbtkxskxgcublsv.exe 4876 etojfarqmdqqmxlwdbshc.exe 5868 etojfarqmdqqmxlwdbshc.exe 5748 gwijnolzqgs.exe 5808 pdxrmgwupfrqlvisyvlz.exe 5796 gwijnolzqgs.exe 4240 etojfarqmdqqmxlwdbshc.exe 5872 gwijnolzqgs.exe 4604 itkbtkxskxgcublsv.exe 3988 etojfarqmdqqmxlwdbshc.exe 5696 gwijnolzqgs.exe 2536 rdvngymibpzwpxiqup.exe 664 gwijnolzqgs.exe 5504 etojfarqmdqqmxlwdbshc.exe 1112 blbriykevhpkbhqw.exe 4940 gwijnolzqgs.exe 5016 itkbtkxskxgcublsv.exe 5856 etojfarqmdqqmxlwdbshc.exe 5036 cpibvodaujusmvhqvrg.exe 5408 gwijnolzqgs.exe 4700 rdvngymibpzwpxiqup.exe 5160 gwijnolzqgs.exe 5252 blbriykevhpkbhqw.exe 5900 rdvngymibpzwpxiqup.exe 3484 gwijnolzqgs.exe 4272 itkbtkxskxgcublsv.exe 3616 pdxrmgwupfrqlvisyvlz.exe 3048 gwijnolzqgs.exe 1068 itkbtkxskxgcublsv.exe 2856 pdxrmgwupfrqlvisyvlz.exe 3624 cpibvodaujusmvhqvrg.exe 3548 pdxrmgwupfrqlvisyvlz.exe 3420 gwijnolzqgs.exe 5556 etojfarqmdqqmxlwdbshc.exe 5596 rdvngymibpzwpxiqup.exe 5056 cpibvodaujusmvhqvrg.exe 2736 gwijnolzqgs.exe 1720 etojfarqmdqqmxlwdbshc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager edint.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys edint.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc edint.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power edint.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys edint.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc edint.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "etojfarqmdqqmxlwdbshc.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfujzozsitaukpx = "itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itkbtkxskxgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "blbriykevhpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "etojfarqmdqqmxlwdbshc.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfujzozsitaukpx = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "etojfarqmdqqmxlwdbshc.exe" edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "blbriykevhpkbhqw.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "blbriykevhpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "cpibvodaujusmvhqvrg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "itkbtkxskxgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "itkbtkxskxgcublsv.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "pdxrmgwupfrqlvisyvlz.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "blbriykevhpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfujzozsitaukpx = "pdxrmgwupfrqlvisyvlz.exe" edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "itkbtkxskxgcublsv.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfujzozsitaukpx = "itkbtkxskxgcublsv.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "rdvngymibpzwpxiqup.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etojfarqmdqqmxlwdbshc.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "etojfarqmdqqmxlwdbshc.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfujzozsitaukpx = "rdvngymibpzwpxiqup.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe ." edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "rdvngymibpzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\itkbtkxskxgcublsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "pdxrmgwupfrqlvisyvlz.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "pdxrmgwupfrqlvisyvlz.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdvngymibpzwpxiqup.exe ." edint.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rdvngymibpzwpxiqup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpibvodaujusmvhqvrg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\blbriykevhpkbhqw = "pdxrmgwupfrqlvisyvlz.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tzlxkweuhptk = "cpibvodaujusmvhqvrg.exe" edint.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdxrmgwupfrqlvisyvlz.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\szmznajaoxcui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\blbriykevhpkbhqw.exe ." gwijnolzqgs.exe -
Checks whether UAC is enabled 1 TTPs 54 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edint.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" edint.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 2 whatismyip.everdot.org 2 whatismyipaddress.com 2 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf edint.exe File created F:\autorun.inf edint.exe File opened for modification C:\autorun.inf edint.exe File created C:\autorun.inf edint.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe edint.exe File opened for modification C:\Windows\SysWOW64\vtxbgkksxxtchbysippnrvaeem.rnw edint.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe edint.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe edint.exe File opened for modification C:\Windows\SysWOW64\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File created C:\Windows\SysWOW64\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe File opened for modification C:\Windows\SysWOW64\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vtxbgkksxxtchbysippnrvaeem.rnw edint.exe File created C:\Program Files (x86)\vtxbgkksxxtchbysippnrvaeem.rnw edint.exe File opened for modification C:\Program Files (x86)\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe File created C:\Program Files (x86)\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe edint.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File created C:\Windows\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\blbriykevhpkbhqw.exe edint.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe edint.exe File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\wfujzozsitaukpxcdvgpetjyjcsdkeuzhmnfq.odt edint.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\itkbtkxskxgcublsv.exe gwijnolzqgs.exe File opened for modification C:\Windows\etojfarqmdqqmxlwdbshc.exe gwijnolzqgs.exe File opened for modification C:\Windows\rdvngymibpzwpxiqup.exe edint.exe File opened for modification C:\Windows\vlhdawooldrspbqckjbrnj.exe gwijnolzqgs.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe File opened for modification C:\Windows\cpibvodaujusmvhqvrg.exe edint.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe edint.exe File opened for modification C:\Windows\pdxrmgwupfrqlvisyvlz.exe gwijnolzqgs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gwijnolzqgs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpibvodaujusmvhqvrg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdvngymibpzwpxiqup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itkbtkxskxgcublsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrmgwupfrqlvisyvlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etojfarqmdqqmxlwdbshc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blbriykevhpkbhqw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 5924 edint.exe 5924 edint.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 5924 edint.exe 5924 edint.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5924 edint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 3144 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 78 PID 4504 wrote to memory of 3144 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 78 PID 4504 wrote to memory of 3144 4504 JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe 78 PID 1496 wrote to memory of 1960 1496 cmd.exe 81 PID 1496 wrote to memory of 1960 1496 cmd.exe 81 PID 1496 wrote to memory of 1960 1496 cmd.exe 81 PID 5432 wrote to memory of 5772 5432 cmd.exe 84 PID 5432 wrote to memory of 5772 5432 cmd.exe 84 PID 5432 wrote to memory of 5772 5432 cmd.exe 84 PID 5772 wrote to memory of 5392 5772 blbriykevhpkbhqw.exe 85 PID 5772 wrote to memory of 5392 5772 blbriykevhpkbhqw.exe 85 PID 5772 wrote to memory of 5392 5772 blbriykevhpkbhqw.exe 85 PID 4928 wrote to memory of 4408 4928 cmd.exe 88 PID 4928 wrote to memory of 4408 4928 cmd.exe 88 PID 4928 wrote to memory of 4408 4928 cmd.exe 88 PID 5012 wrote to memory of 2268 5012 cmd.exe 91 PID 5012 wrote to memory of 2268 5012 cmd.exe 91 PID 5012 wrote to memory of 2268 5012 cmd.exe 91 PID 2268 wrote to memory of 5396 2268 rdvngymibpzwpxiqup.exe 94 PID 2268 wrote to memory of 5396 2268 rdvngymibpzwpxiqup.exe 94 PID 2268 wrote to memory of 5396 2268 rdvngymibpzwpxiqup.exe 94 PID 4592 wrote to memory of 5076 4592 cmd.exe 96 PID 4592 wrote to memory of 5076 4592 cmd.exe 96 PID 4592 wrote to memory of 5076 4592 cmd.exe 96 PID 4960 wrote to memory of 4196 4960 cmd.exe 98 PID 4960 wrote to memory of 4196 4960 cmd.exe 98 PID 4960 wrote to memory of 4196 4960 cmd.exe 98 PID 4196 wrote to memory of 5096 4196 rdvngymibpzwpxiqup.exe 99 PID 4196 wrote to memory of 5096 4196 rdvngymibpzwpxiqup.exe 99 PID 4196 wrote to memory of 5096 4196 rdvngymibpzwpxiqup.exe 99 PID 5156 wrote to memory of 5228 5156 cmd.exe 102 PID 5156 wrote to memory of 5228 5156 cmd.exe 102 PID 5156 wrote to memory of 5228 5156 cmd.exe 102 PID 6060 wrote to memory of 2020 6060 cmd.exe 105 PID 6060 wrote to memory of 2020 6060 cmd.exe 105 PID 6060 wrote to memory of 2020 6060 cmd.exe 105 PID 2020 wrote to memory of 3484 2020 rdvngymibpzwpxiqup.exe 192 PID 2020 wrote to memory of 3484 2020 rdvngymibpzwpxiqup.exe 192 PID 2020 wrote to memory of 3484 2020 rdvngymibpzwpxiqup.exe 192 PID 3144 wrote to memory of 5924 3144 gwijnolzqgs.exe 107 PID 3144 wrote to memory of 5924 3144 gwijnolzqgs.exe 107 PID 3144 wrote to memory of 5924 3144 gwijnolzqgs.exe 107 PID 3144 wrote to memory of 796 3144 gwijnolzqgs.exe 108 PID 3144 wrote to memory of 796 3144 gwijnolzqgs.exe 108 PID 3144 wrote to memory of 796 3144 gwijnolzqgs.exe 108 PID 2252 wrote to memory of 3548 2252 cmd.exe 211 PID 2252 wrote to memory of 3548 2252 cmd.exe 211 PID 2252 wrote to memory of 3548 2252 cmd.exe 211 PID 3608 wrote to memory of 3908 3608 cmd.exe 114 PID 3608 wrote to memory of 3908 3608 cmd.exe 114 PID 3608 wrote to memory of 3908 3608 cmd.exe 114 PID 5296 wrote to memory of 240 5296 cmd.exe 220 PID 5296 wrote to memory of 240 5296 cmd.exe 220 PID 5296 wrote to memory of 240 5296 cmd.exe 220 PID 240 wrote to memory of 3300 240 rdvngymibpzwpxiqup.exe 120 PID 240 wrote to memory of 3300 240 rdvngymibpzwpxiqup.exe 120 PID 240 wrote to memory of 3300 240 rdvngymibpzwpxiqup.exe 120 PID 2132 wrote to memory of 4588 2132 cmd.exe 121 PID 2132 wrote to memory of 4588 2132 cmd.exe 121 PID 2132 wrote to memory of 4588 2132 cmd.exe 121 PID 5976 wrote to memory of 2524 5976 cmd.exe 124 PID 5976 wrote to memory of 2524 5976 cmd.exe 124 PID 5976 wrote to memory of 2524 5976 cmd.exe 124 PID 4588 wrote to memory of 5524 4588 rdvngymibpzwpxiqup.exe 125 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" edint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" edint.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gwijnolzqgs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bddd16d20828ab7fce7d46416ccf084f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bddd16d20828ab7fce7d46416ccf084f.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\edint.exe"C:\Users\Admin\AppData\Local\Temp\edint.exe" "-C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5924
-
-
C:\Users\Admin\AppData\Local\Temp\edint.exe"C:\Users\Admin\AppData\Local\Temp\edint.exe" "-C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5432 -
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵
- Executes dropped EXE
PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5296 -
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:3300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5976 -
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵
- Executes dropped EXE
PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4860
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:400
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵
- Executes dropped EXE
PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:4252
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- Executes dropped EXE
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵
- Executes dropped EXE
PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵
- Executes dropped EXE
PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵
- Executes dropped EXE
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵
- Executes dropped EXE
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:2040
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5164
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- Executes dropped EXE
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵
- Executes dropped EXE
PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:4896
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵
- Executes dropped EXE
PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:4928
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵
- Executes dropped EXE
PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵
- Executes dropped EXE
PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:5644
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵
- Executes dropped EXE
PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:3168
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- Executes dropped EXE
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Executes dropped EXE
PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:5152
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵
- Executes dropped EXE
PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:5288
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:840
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵
- Executes dropped EXE
PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:1688
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵
- Executes dropped EXE
PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵
- Executes dropped EXE
PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:1052
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵
- Executes dropped EXE
PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:240
-
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:2444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:2164
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- Executes dropped EXE
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:3656
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5380
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:6056
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:6116
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:2152
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:4052
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4940
-
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:4544
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:5260
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:3432
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:1020
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5688
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:1504
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5508
-
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:2628
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:5876
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:3800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:3012
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:2024
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:1988
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:5780
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:4912
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:2396
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:2112
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:6016
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:572
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4540
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:2448
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1872
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:5296
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:4496
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:5536
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5776
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5920
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:3508
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:724
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:1308
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:3380
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:3948
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:1208
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:1048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:3292
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:2264
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:5252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:536
-
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:5116
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:5152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:5728
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:2408
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:5852
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:5100
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:1244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:1952
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:2204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:4676
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:788
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:3176
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:5880
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:6020
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:2912
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:1164
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:5628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1724
-
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4052
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:1348
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:3644
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:5516
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:5596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:2004
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3196
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4680
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3108
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:2984
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:2540
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1148
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:4772
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:2552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1048
-
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:2396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:4992
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5348
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:2588
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:1384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5152
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:8 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:1624
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5960
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:3168
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:5148
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5936
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:3600
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3328
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:3608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4828
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:2540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6072
-
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5124
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:912
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5684
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:3292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:1072
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:4116
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:1124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3528
-
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:3604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:2936
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:3584
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:5792
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:4260
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:2864
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:960 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:5756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:1632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5464
-
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3108
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5960
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:5732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:708
-
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:2068
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:4608
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:5268
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:4440
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:392
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:5404
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:1972
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:2736
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4456
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:240
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:4260
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:3820
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:5832
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:2932
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:2712
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:5640
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4264
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:2252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:4852
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:3348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:2984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5432
-
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:5048
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:1064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:4704
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:4348
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:2732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:1348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3836
-
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5992
-
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3448
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:6064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3856
-
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:2740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:2996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2164
-
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4248
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:3248
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5696
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:1896
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:4232
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:5880
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:5408
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:3536
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4440
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:2544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\blbriykevhpkbhqw.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:6004
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:1208
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:1984
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe .1⤵PID:4732
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe .2⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\itkbtkxskxgcublsv.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3776
-
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:2132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5296
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5228
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:1520
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:4692
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:5824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:3000
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5640
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:2196
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:5732
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:4084
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:1880
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:5016
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:1976
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:5628
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:4788
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1176
-
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c itkbtkxskxgcublsv.exe1⤵PID:1336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3404
-
-
C:\Windows\itkbtkxskxgcublsv.exeitkbtkxskxgcublsv.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:1556
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:5276
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:3104
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:736
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:5536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3908
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:3652
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3156
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2412
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .2⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\rdvngymibpzwpxiqup.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe1⤵PID:5684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1064
-
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:760
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:4824
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etojfarqmdqqmxlwdbshc.exe .1⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2872
-
-
C:\Windows\etojfarqmdqqmxlwdbshc.exeetojfarqmdqqmxlwdbshc.exe .2⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:2984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3524
-
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .1⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe2⤵PID:2584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe1⤵PID:5164
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe2⤵PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:5256
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe1⤵PID:2172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1556
-
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cpibvodaujusmvhqvrg.exe .1⤵PID:1068
-
C:\Windows\cpibvodaujusmvhqvrg.execpibvodaujusmvhqvrg.exe .2⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\cpibvodaujusmvhqvrg.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\cpibvodaujusmvhqvrg.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exeC:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe2⤵PID:5380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:3236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2056
-
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe .1⤵PID:2752
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\pdxrmgwupfrqlvisyvlz.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:4668
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:3012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:4248
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exeC:\Users\Admin\AppData\Local\Temp\etojfarqmdqqmxlwdbshc.exe .2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\etojfarqmdqqmxlwdbshc.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exeC:\Users\Admin\AppData\Local\Temp\pdxrmgwupfrqlvisyvlz.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe1⤵PID:3508
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c blbriykevhpkbhqw.exe .1⤵PID:2852
-
C:\Windows\blbriykevhpkbhqw.exeblbriykevhpkbhqw.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\blbriykevhpkbhqw.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pdxrmgwupfrqlvisyvlz.exe1⤵PID:3648
-
C:\Windows\pdxrmgwupfrqlvisyvlz.exepdxrmgwupfrqlvisyvlz.exe2⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rdvngymibpzwpxiqup.exe .1⤵PID:716
-
C:\Windows\rdvngymibpzwpxiqup.exerdvngymibpzwpxiqup.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\rdvngymibpzwpxiqup.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exeC:\Users\Admin\AppData\Local\Temp\cpibvodaujusmvhqvrg.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exeC:\Users\Admin\AppData\Local\Temp\itkbtkxskxgcublsv.exe .2⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\itkbtkxskxgcublsv.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exeC:\Users\Admin\AppData\Local\Temp\blbriykevhpkbhqw.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rdvngymibpzwpxiqup.exe .1⤵PID:4700
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD518ee136afb4ed5721dd831ba6de934e4
SHA12d7d745015b3d6289720e169cf512aa3668a41b3
SHA25640dddb047b4abc0520c2e07c450a7f03d3f2c3fc3b3079c6fc40f3ca3d2c0362
SHA5126f6202821c8b60452948c554ddaa5734da0040cb87e55633da0299cd8095169e2423c8a6773308f03b53cf26fa24dd4a022784e1d163924efaefc062dde30f21
-
Filesize
280B
MD56432ffb24e491818ad88e2fb30a5d47e
SHA137a40521e7823c24a0d61d7021faecfdcb11eac4
SHA2562be68cab25447386bfb95b306d52aaa3a18c128a8507b417836100c1f1f9051e
SHA5127b3b3505025b17cbf9f770b0185a86065297ab0faf10d27b39966595ec22105e1b3d06c1b2e5a0e6805109b5c84dc364ea118289909b243a0ce191ebdce625bc
-
Filesize
280B
MD5af6375a5a0243137af2aba533160f358
SHA174ee4f612113ffff8633ed5cef6b5af94f4b5de9
SHA256cea2669fa43bf8bd1a98ebe80fd00721c541d6a5bfd69ad4fd9834ca0195f3e1
SHA5123aaeaabcb2b89e24e22f236d7e98ee38675d459a7f0b9a50b34544b41c2f012573aab9d5dd0aafd3f3c7892c8d21706d991b5514fa6617ef1ff8cdc5729c558b
-
Filesize
280B
MD5ca4b90353a1f71410a302452bc53a160
SHA1045aa2583e8a4b14e3b7225b52ab6b2939b66bf7
SHA25600e244bd6d7df4225da45ef0b869f93afbd44864719c30ada57c7fca563cf8bf
SHA5121804693ee3c1dc1b21cd7c17d86e247ef6f16d7a49d0955d05223f7de3f9e7028906ead75b965191e7771bf98b9c6bebe4ae11dd4344ab50d446120d8aeaa524
-
Filesize
280B
MD5aaa9e48b6d59fc4c4db1852e2f8daa6f
SHA127bbce7738a25a3fe25a4553d77361b4f342e089
SHA256c779455434f44aba3b468bcc320ef623958fc954e7acf248b170a06d738e29fa
SHA512b9db53c8baa1f98c7bf9767385fd6baf2452b2271b106daec8fc99fe9d6b04af8e188694b747cd03b12dc1c47c66abe3f1bfcfc67b382d56d966d94d74db80e5
-
Filesize
280B
MD5bf144dd97ff07b067e1dc4716b67c362
SHA10ba7ab843cbcb67c126f116c58e60fc5e5970e03
SHA256dc02adbf0f233068d8c4e1f435d5438f33943cb01385115be9dfea1b7a5638dd
SHA51280e2e0fc665b33a7a6ce8376f31a5ef20653021c0752030e2d2b5f9e0ca1dd871fd35d08f2f5ec3e6e8a940334a9a99e95ab34769c3f2909f0de93f24dd2fd1c
-
Filesize
280B
MD527337e187bcd08f0f5d31526834ad920
SHA1fa187b2aea718f4245ac5e3bbf2cef74605304e2
SHA2567f8a7f8cc4fb9e9163251f97c4546ec13372628b1a90f1f8e77fd8f7786e0b50
SHA51278db6a91e75eb07fe3d62d8dcbce54ab3d82062b7da07ff4accb99a1866330fdcf7dca260ebb0cf19431b1b0a669e8500e2ea92d83ce6d6954232a8d5df3f6a7
-
Filesize
712KB
MD5a62131c4f1ec9cb0677f57def1879c4e
SHA152d71559d7c7f28fbda16c694fc4d9016800e0ab
SHA25671347cf9787f6aeb914e567e740fa7047b822c64d11cb2fa84fa4b7e29146dd8
SHA512112d94ac8db88ff5581a923f537eea17fee7e89de1c7d8852ec949a31215ffdbc15d8f84fcb6c2bfed3ac5bb1f4234c10b8334db480c10e1c1a4090b75d9a8b6
-
Filesize
320KB
MD5bd2d128ca0ff7786e44ca4e2f3807b06
SHA1b073e74c3fb687f4b5a9838ee8b2e5b9856abec5
SHA2562cecd4903a4f423e289e6b60361c7fe38ec58566ea0cabcc26c55af8c6e5488f
SHA5127c54a498207d077ea9921b427bd2640a645df15f86025d3f2cecac62f045bae6317c74dc65f690ff8788e71066c3ed98dc8fc527805dfa7d8b73400327449618
-
Filesize
280B
MD5762fa5784e2c8f4e7928d8edb0c1600c
SHA1c3441baff5b1215cc74d4c7527f0dd5ea98ede2e
SHA25606b5446c8fc67a72dc5241b3fce97fb5fb7bca070a7d7f4a3af384b77b7f3769
SHA512ac738e47f91f52ed50018bf6eb7ecdb5e02f131e90c3199a4791014c8f0926330ee285437ec20ce4e039846a721d0b7f1e3bdbb6d52b75c3b37d7c4ab3af5022
-
Filesize
4KB
MD5a638735c91a4776699f6855c69bdee08
SHA1a10ac65b0191ef43f5c6d418638c597f8cb99713
SHA25642d53c783de385ad5bf10f7ad714070e51c191e3ebefed99bd133f8b6b87d7d5
SHA512259887f454f14e0c670dd7f9658120a9dead6276da94b1d024707b085200b30373019fd0e554a601bdb6077c1e39e1f06ddbb8589a96105faa26eb5b27104694
-
Filesize
612KB
MD5bddd16d20828ab7fce7d46416ccf084f
SHA187067755449ba7bc2cbbf04edae0a03b60e0c91a
SHA25657c85e0a2c34c0e1e6a434194422f6c3a1fd44d66bc1848803fa0421b621fdd7
SHA512350ab8929b2a3bdc27fe8465fb5cd3f28885898fd09a91e884efcd6bfde777b5ed26e1dca9de2fc89ed79efdb276f5713b1c08a0a5b88c8809238e035bd6b425