Analysis
-
max time kernel
58s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 11:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe
-
Size
492KB
-
MD5
bdec6237d2f7f80e1250e09df51e3d02
-
SHA1
73bbd2918a981f181299342a44b8afc0e0923f7d
-
SHA256
a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
-
SHA512
e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b
-
SSDEEP
12288:8pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsr:8pUNr6YkVRFkgbeqeo68FhqG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wgosv.exe -
Pykspa family
-
UAC bypass 3 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000a00000002a906-4.dat family_pykspa behavioral2/files/0x001500000002b21d-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "tohwkulgxjgwwmht.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "usogxkecwllehaynywy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ugqwbck = "awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nwdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wgosv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wgosv.exe -
Executes dropped EXE 64 IoCs
pid Process 3508 xidoeloehsn.exe 2004 jgbsiunkdrqikcznxu.exe 4904 jgbsiunkdrqikcznxu.exe 4952 xidoeloehsn.exe 5072 hgdwocxwrhicgazpbadc.exe 2320 jgbsiunkdrqikcznxu.exe 3164 jgbsiunkdrqikcznxu.exe 1416 xidoeloehsn.exe 5084 tohwkulgxjgwwmht.exe 5116 xidoeloehsn.exe 4352 usogxkecwllehaynywy.exe 3760 hgdwocxwrhicgazpbadc.exe 3784 xidoeloehsn.exe 1376 wgosv.exe 1972 wgosv.exe 1760 jgbsiunkdrqikcznxu.exe 4280 hgdwocxwrhicgazpbadc.exe 5952 jgbsiunkdrqikcznxu.exe 3112 tohwkulgxjgwwmht.exe 3000 xidoeloehsn.exe 5452 xidoeloehsn.exe 2812 tohwkulgxjgwwmht.exe 1876 wwuohwssofhchcctggkki.exe 5980 awqgvgyumzxopgcpy.exe 2824 jgbsiunkdrqikcznxu.exe 4540 hgdwocxwrhicgazpbadc.exe 2632 tohwkulgxjgwwmht.exe 6060 usogxkecwllehaynywy.exe 3924 tohwkulgxjgwwmht.exe 2368 xidoeloehsn.exe 3796 xidoeloehsn.exe 5848 xidoeloehsn.exe 4884 xidoeloehsn.exe 5804 jgbsiunkdrqikcznxu.exe 4648 usogxkecwllehaynywy.exe 6020 usogxkecwllehaynywy.exe 796 awqgvgyumzxopgcpy.exe 5500 xidoeloehsn.exe 5792 xidoeloehsn.exe 2816 jgbsiunkdrqikcznxu.exe 4248 hgdwocxwrhicgazpbadc.exe 416 xidoeloehsn.exe 4892 tohwkulgxjgwwmht.exe 5040 wwuohwssofhchcctggkki.exe 2336 xidoeloehsn.exe 704 wwuohwssofhchcctggkki.exe 1416 wwuohwssofhchcctggkki.exe 5056 xidoeloehsn.exe 5084 usogxkecwllehaynywy.exe 5752 wwuohwssofhchcctggkki.exe 4220 xidoeloehsn.exe 4428 usogxkecwllehaynywy.exe 4572 hgdwocxwrhicgazpbadc.exe 5336 wwuohwssofhchcctggkki.exe 5536 awqgvgyumzxopgcpy.exe 5252 xidoeloehsn.exe 3928 usogxkecwllehaynywy.exe 2092 wwuohwssofhchcctggkki.exe 2936 usogxkecwllehaynywy.exe 2160 tohwkulgxjgwwmht.exe 744 xidoeloehsn.exe 2304 xidoeloehsn.exe 5980 jgbsiunkdrqikcznxu.exe 6116 usogxkecwllehaynywy.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc wgosv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager wgosv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys wgosv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc wgosv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power wgosv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys wgosv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "tohwkulgxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "jgbsiunkdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." wgosv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "tohwkulgxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\jwhouwfs = "wwuohwssofhchcctggkki.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" wgosv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tivemqbqbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "wwuohwssofhchcctggkki.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oesclqcseld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tohwkulgxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "jgbsiunkdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "awqgvgyumzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgosv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqgvgyumzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "hgdwocxwrhicgazpbadc.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aoaipscqa = "wwuohwssofhchcctggkki.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "hgdwocxwrhicgazpbadc.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wgosv = "awqgvgyumzxopgcpy.exe" wgosv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsbgkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usogxkecwllehaynywy.exe ." wgosv.exe -
Checks whether UAC is enabled 1 TTPs 58 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xidoeloehsn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyip.everdot.org 1 www.whatismyip.ca 1 whatismyipaddress.com 1 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf wgosv.exe File opened for modification F:\autorun.inf wgosv.exe File created F:\autorun.inf wgosv.exe File opened for modification C:\autorun.inf wgosv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe wgosv.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe wgosv.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe wgosv.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe wgosv.exe File opened for modification C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs wgosv.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File created C:\Windows\SysWOW64\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs wgosv.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf wgosv.exe File created C:\Program Files (x86)\binooknuxvegsubztalsxyyu.ehf wgosv.exe File opened for modification C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs wgosv.exe File created C:\Program Files (x86)\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs wgosv.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\kcsepwkcqztgdqirwokcsepwkcqztgdqirw.kcs wgosv.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe wgosv.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe wgosv.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe wgosv.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe wgosv.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\awqgvgyumzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\wwuohwssofhchcctggkki.exe wgosv.exe File opened for modification C:\Windows\tohwkulgxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\hgdwocxwrhicgazpbadc.exe xidoeloehsn.exe File opened for modification C:\Windows\nonicspqnfiekghznotuto.exe xidoeloehsn.exe File opened for modification C:\Windows\usogxkecwllehaynywy.exe xidoeloehsn.exe File opened for modification C:\Windows\jgbsiunkdrqikcznxu.exe xidoeloehsn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wwuohwssofhchcctggkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language usogxkecwllehaynywy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgbsiunkdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wgosv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgdwocxwrhicgazpbadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awqgvgyumzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tohwkulgxjgwwmht.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 1376 wgosv.exe 1376 wgosv.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 1376 wgosv.exe 1376 wgosv.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1376 wgosv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 3508 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 78 PID 3120 wrote to memory of 3508 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 78 PID 3120 wrote to memory of 3508 3120 JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe 78 PID 4556 wrote to memory of 2004 4556 cmd.exe 81 PID 4556 wrote to memory of 2004 4556 cmd.exe 81 PID 4556 wrote to memory of 2004 4556 cmd.exe 81 PID 1684 wrote to memory of 4904 1684 cmd.exe 84 PID 1684 wrote to memory of 4904 1684 cmd.exe 84 PID 1684 wrote to memory of 4904 1684 cmd.exe 84 PID 4904 wrote to memory of 4952 4904 jgbsiunkdrqikcznxu.exe 85 PID 4904 wrote to memory of 4952 4904 jgbsiunkdrqikcznxu.exe 85 PID 4904 wrote to memory of 4952 4904 jgbsiunkdrqikcznxu.exe 85 PID 4988 wrote to memory of 5072 4988 cmd.exe 88 PID 4988 wrote to memory of 5072 4988 cmd.exe 88 PID 4988 wrote to memory of 5072 4988 cmd.exe 88 PID 3348 wrote to memory of 2320 3348 cmd.exe 91 PID 3348 wrote to memory of 2320 3348 cmd.exe 91 PID 3348 wrote to memory of 2320 3348 cmd.exe 91 PID 944 wrote to memory of 3164 944 cmd.exe 94 PID 944 wrote to memory of 3164 944 cmd.exe 94 PID 944 wrote to memory of 3164 944 cmd.exe 94 PID 2320 wrote to memory of 1416 2320 jgbsiunkdrqikcznxu.exe 95 PID 2320 wrote to memory of 1416 2320 jgbsiunkdrqikcznxu.exe 95 PID 2320 wrote to memory of 1416 2320 jgbsiunkdrqikcznxu.exe 95 PID 4944 wrote to memory of 5084 4944 cmd.exe 98 PID 4944 wrote to memory of 5084 4944 cmd.exe 98 PID 4944 wrote to memory of 5084 4944 cmd.exe 98 PID 5084 wrote to memory of 5116 5084 tohwkulgxjgwwmht.exe 99 PID 5084 wrote to memory of 5116 5084 tohwkulgxjgwwmht.exe 99 PID 5084 wrote to memory of 5116 5084 tohwkulgxjgwwmht.exe 99 PID 3404 wrote to memory of 4352 3404 cmd.exe 102 PID 3404 wrote to memory of 4352 3404 cmd.exe 102 PID 3404 wrote to memory of 4352 3404 cmd.exe 102 PID 3408 wrote to memory of 3760 3408 cmd.exe 105 PID 3408 wrote to memory of 3760 3408 cmd.exe 105 PID 3408 wrote to memory of 3760 3408 cmd.exe 105 PID 3760 wrote to memory of 3784 3760 hgdwocxwrhicgazpbadc.exe 106 PID 3760 wrote to memory of 3784 3760 hgdwocxwrhicgazpbadc.exe 106 PID 3760 wrote to memory of 3784 3760 hgdwocxwrhicgazpbadc.exe 106 PID 3508 wrote to memory of 1376 3508 xidoeloehsn.exe 107 PID 3508 wrote to memory of 1376 3508 xidoeloehsn.exe 107 PID 3508 wrote to memory of 1376 3508 xidoeloehsn.exe 107 PID 3508 wrote to memory of 1972 3508 xidoeloehsn.exe 108 PID 3508 wrote to memory of 1972 3508 xidoeloehsn.exe 108 PID 3508 wrote to memory of 1972 3508 xidoeloehsn.exe 108 PID 6032 wrote to memory of 1760 6032 cmd.exe 113 PID 6032 wrote to memory of 1760 6032 cmd.exe 113 PID 5312 wrote to memory of 4280 5312 cmd.exe 114 PID 6032 wrote to memory of 1760 6032 cmd.exe 113 PID 5312 wrote to memory of 4280 5312 cmd.exe 114 PID 5312 wrote to memory of 4280 5312 cmd.exe 114 PID 488 wrote to memory of 5952 488 cmd.exe 119 PID 488 wrote to memory of 5952 488 cmd.exe 119 PID 488 wrote to memory of 5952 488 cmd.exe 119 PID 3032 wrote to memory of 3112 3032 cmd.exe 120 PID 3032 wrote to memory of 3112 3032 cmd.exe 120 PID 3032 wrote to memory of 3112 3032 cmd.exe 120 PID 5952 wrote to memory of 3000 5952 jgbsiunkdrqikcznxu.exe 129 PID 5952 wrote to memory of 3000 5952 jgbsiunkdrqikcznxu.exe 129 PID 5952 wrote to memory of 3000 5952 jgbsiunkdrqikcznxu.exe 129 PID 3112 wrote to memory of 5452 3112 tohwkulgxjgwwmht.exe 130 PID 3112 wrote to memory of 5452 3112 tohwkulgxjgwwmht.exe 130 PID 3112 wrote to memory of 5452 3112 tohwkulgxjgwwmht.exe 130 PID 1044 wrote to memory of 2812 1044 cmd.exe 131 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wgosv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wgosv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdec6237d2f7f80e1250e09df51e3d02.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdec6237d2f7f80e1250e09df51e3d02.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\wgosv.exe"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\wgosv.exe"C:\Users\Admin\AppData\Local\Temp\wgosv.exe" "-C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Executes dropped EXE
PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6032 -
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5312 -
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵
- Executes dropped EXE
PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:4396
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:3060
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵
- Executes dropped EXE
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:3388
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵
- Executes dropped EXE
PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Executes dropped EXE
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- Executes dropped EXE
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵
- Executes dropped EXE
PID:796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵
- Executes dropped EXE
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Executes dropped EXE
PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- Executes dropped EXE
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5796
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:840
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵
- Executes dropped EXE
PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:3056
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵
- Executes dropped EXE
PID:4892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:1104
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵
- Executes dropped EXE
PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵
- Executes dropped EXE
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵
- Executes dropped EXE
PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵
- Executes dropped EXE
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:2052
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:3408
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵
- Executes dropped EXE
PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:5876
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵
- Executes dropped EXE
PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:5316
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵
- Executes dropped EXE
PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:5368
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:3220
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵
- Executes dropped EXE
PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:3412
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵
- Executes dropped EXE
PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:5528
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵
- Executes dropped EXE
PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:748
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:3888
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:5164
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:5524
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:400 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:2256
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:416
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:1088
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:4904
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:3180
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:5816
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:2536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:4700
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:5368
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:4108
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:4916
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:4912
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:5476
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5848
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:6024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:5804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5792
-
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:1248
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5436
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:4860
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:3164
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:3316
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:4944
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:3488
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:2536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:1724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:744
-
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:1716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6116
-
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:560
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:1888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:1044
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:4528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:4212
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:4784
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:2404
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:4828
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:4092
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:2668
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:2060
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:5544
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:1992
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:5036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5000
-
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5052
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:4496
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:3708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:2092
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:1724
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5608
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:4980
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:3568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:5660
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:4212
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:2516
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:3544
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:1432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:4776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5800
-
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:5828
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:5720
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:4464
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:2224
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:3840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:1716
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:2908
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:3468
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:1068
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:4528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2756
-
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:3568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:240
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:3204
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:6024
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:276
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:2124
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:5460
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:1260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:4932
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:3352
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5536
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:1080
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:2904
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5520
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:3220
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:3224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:3020
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:6116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:2296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:1760
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:1824
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:3556
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:2276
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:4336
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:2940
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:5820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:1076
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:5148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:1424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:3472
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:656
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5072
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:1532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4720
-
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:2300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1992
-
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:4628
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:4960
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:1888
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:1780
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:228
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5320
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:3476
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:3108
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:5796
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:4700
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:3588
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:5104
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:3708
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:3636
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:5560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:2076
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:5752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:5012
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:2640
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:748
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:4772
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:4048
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:5168
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5228
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:2456
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:5864
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:4340
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:4308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3688
-
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:4900
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:1344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:4836
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:2956
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:2432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3356
-
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:5328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:2996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:1460
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:3788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:4244
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:5400
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:3596
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:3032
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:5248
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:788
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:240
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:2572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1028
-
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:5780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:5544
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:4332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4380
-
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:3840
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:5560
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:2956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:4972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5876
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:684
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:6044
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:5704
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:1864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1068
-
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:5776
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:228
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:5148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5736
-
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:1456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:3816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:1904
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:5660
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:4988
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:2004
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:4740
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:4852
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:6064
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe .1⤵PID:4420
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\tohwkulgxjgwwmht.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:1104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:5860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6116
-
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:2332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3224
-
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:484
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:5012
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:5888
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:4352
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:1248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:5532
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:5848
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:3880
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:244
-
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:4212
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:3476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:2468
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:5596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exeC:\Users\Admin\AppData\Local\Temp\usogxkecwllehaynywy.exe .2⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\usogxkecwllehaynywy.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:2516
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:1064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\awqgvgyumzxopgcpy.exe*."3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:2232
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:5868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5072
-
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:6124
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:4804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4644
-
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:5856
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:3144
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tohwkulgxjgwwmht.exe1⤵PID:5500
-
C:\Windows\tohwkulgxjgwwmht.exetohwkulgxjgwwmht.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:3432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5388
-
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe1⤵PID:3764
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe .1⤵PID:5092
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe .2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\wwuohwssofhchcctggkki.exe*."3⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:5800
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hgdwocxwrhicgazpbadc.exe .1⤵PID:2248
-
C:\Windows\hgdwocxwrhicgazpbadc.exehgdwocxwrhicgazpbadc.exe .2⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\hgdwocxwrhicgazpbadc.exe*."3⤵PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\wwuohwssofhchcctggkki.exe*."3⤵PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wwuohwssofhchcctggkki.exe1⤵PID:2580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1260
-
-
C:\Windows\wwuohwssofhchcctggkki.exewwuohwssofhchcctggkki.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:2288
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe1⤵PID:5476
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe2⤵PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe .1⤵PID:3056
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\jgbsiunkdrqikcznxu.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exeC:\Users\Admin\AppData\Local\Temp\wwuohwssofhchcctggkki.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exeC:\Users\Admin\AppData\Local\Temp\hgdwocxwrhicgazpbadc.exe .2⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\hgdwocxwrhicgazpbadc.exe*."3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe1⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe2⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\tohwkulgxjgwwmht.exe .2⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\tohwkulgxjgwwmht.exe*."3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe1⤵PID:4836
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c usogxkecwllehaynywy.exe .1⤵PID:2924
-
C:\Windows\usogxkecwllehaynywy.exeusogxkecwllehaynywy.exe .2⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\usogxkecwllehaynywy.exe*."3⤵PID:948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jgbsiunkdrqikcznxu.exe1⤵PID:6040
-
C:\Windows\jgbsiunkdrqikcznxu.exejgbsiunkdrqikcznxu.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c awqgvgyumzxopgcpy.exe .1⤵PID:3708
-
C:\Windows\awqgvgyumzxopgcpy.exeawqgvgyumzxopgcpy.exe .2⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\awqgvgyumzxopgcpy.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\awqgvgyumzxopgcpy.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\jgbsiunkdrqikcznxu.exe .2⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jgbsiunkdrqikcznxu.exe*."3⤵PID:5412
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD56a065f12f5318d17cbcd6deb19ddc23c
SHA1f7b613ea1d90e983e17933f6777f8e6501a6b3a2
SHA256ad060ec0f3e1142c81dcd4b8b0468140c7e2d8793659a55c68d5ce255a42091a
SHA5125a97262a0a84e4e8aa674326fd93f48fa340702b8a3c31de23ee4bda6e5ec13186bbc006adca7a6fad3ed1759ab1d271c3f846bdcb8e731e1dc0a5fcba933066
-
Filesize
280B
MD537063fb7e559ad67bcd57878b90bab40
SHA1ef969d94e2e8931aeabfa7cc32444019d60e773e
SHA25650e4a8a0dfefa125d22fbb94c4ecf850669cf76ec5117fffc80dafb0fc563658
SHA512a777568e707bf443dc2231658117e9b36ae7b2d11d1d768fc4fb2e8f9e9c0b54e9099654d1e100c545207aedbac08ac29815dcbaa3841e408e1fe77427e7cd93
-
Filesize
280B
MD599e43e082dbf17d1ac1a49efa9fbbf1e
SHA18d2c5ca5be42b670f875c76826f5a98bdd34883f
SHA2565d6cc2976f1afd966ccdbc3cab5a2862081e6ed982aeea4728e326e9d8c4082e
SHA512211d085c323f0371bb61c54cc43382e6c4bb8ab73fc990f08fe47f833fd42b8304cee26900b1ca4308af5c50fcddc864c617feff3ec31f11c8cbc978a09e641b
-
Filesize
280B
MD52ab0b00262003dc4a19cc4774ff68618
SHA1349efa365e8c716599eb1ba40a7650bccedd755d
SHA256eeba2148afb8a456cd03c71894ce071e27469e9ee5bbbd773f2db5bf4d754f8c
SHA51227e664dbea77200ba777cf7de51a80dad50156308ddaa3fcee760c12653afae59cf6d61718a8944b07b35be7cd381136a5c52b7cca20501d4fdd47103875149f
-
Filesize
280B
MD51c0a2596648fcbaa109ee9ddf980a0ad
SHA1059dbdc2ddcd11898dc3d70406cdc55cbcc9b0ee
SHA25667a5c241a948a5db412099c4f72bdb9d2f69df6bd2cdecae8f56bf842e21b427
SHA512c72e0f5fc9ae65adffda15b2534bfc0d4ddb35304b012d72d2374bc3d144a25c6f8277d754890479430e77ebd51c23a9814cd48546990e28bb614981752fb491
-
Filesize
280B
MD57f27c938fa5b29231ba289d142dfc968
SHA1a519fa249b84d3d5c4a228ecb71ccd7ebb106396
SHA25649e4bab6a97c55ea404229dba890b688a04fed67ac3411840744bb02e6a6cda8
SHA512cfeff3146d7c989691c2ad90888ae4dcb22f84d73190853c5ae94e68634b1b5fdf1797c1a00ee960b177656ede570ff672d18cbca6ef6a0f273ca1310e5945dc
-
Filesize
696KB
MD55d1aac9cdfd58a9c5dbf0f9b37604c7c
SHA11c7f1dd85fe87858031e152ff9bbb7830536dfce
SHA2568d359c0eb1b03f8b7f35bb44a92758a3a911ae533c27e461bef727ecef972daf
SHA5123a02581067f15e16b8745e7984b51b91838e8fc97ac7913fdd779e0f5b7b1038b0e4fb47a7c16046d1d13a9d1074c6dcc04e2f1d322acdb37d1b606a71ecfeae
-
Filesize
320KB
MD523bff39547f2d5b201693f9ad0a48638
SHA1777e0e2133205eadab020eae72aebce000bc431e
SHA25623d2d49d3baf0fb03c223267d2f9f00e95d3447a66fb12b9cc2ba0d31e4b936d
SHA512f710bdcaefc281429821c0481a3225e52dda6db488fec627bf774d12c3dfbc992b1c0b428601b464e3a80058e5ae68cccd6795b0ea98b0cc8df9f7f573571bb9
-
Filesize
280B
MD553161fa6d01c965f8c3f32ace579d555
SHA1881eeb45e6a774166cb99761845ed1c08d30c3b4
SHA256961ca600bfddfaa7c24e39aa4e369e0ab4e7c8cd0cc3521448d1c3b8d47cac15
SHA51202b1119efa2e22cd0f3114c6a3aef8af1a6cdf081383af16179cad4d37ad8c838b757f7bb6e77af605833d6b3cb7301eadb1acb8e758b87f3991a2ce6f784bd6
-
Filesize
4KB
MD5d06c4687b5c046575f5391ebb20e365d
SHA117943bdc4966f7923ad1f980ba84f76967d81a9c
SHA25660bc580ca18eb1997cde8d3776e6c4cbbc5ffd188fbf3f305374e8e693a28a40
SHA5126865d5eb2e69f7cb738c4ef76a798f8f7995f74bb94ffc57229dd59f5b18e1f2d6052f4ce7f69ee8fb5615111503d163e53fea2c043731d3320a955d867bdfe0
-
Filesize
492KB
MD5bdec6237d2f7f80e1250e09df51e3d02
SHA173bbd2918a981f181299342a44b8afc0e0923f7d
SHA256a7ba2a0628020aa108b91798907146015ab98527a7b59ac8836865c6d9e1e12b
SHA512e0c1276cabc70b4fe6c936854e10eafba6c5860824d82007c2513d408d1167611b24ae6d5fe992ce12500d6d08ace5b966535ad236bb142af5f677f0ade1af8b