Analysis
-
max time kernel
66s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2025, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe
-
Size
860KB
-
MD5
c0a5c6a1916f592a00e891fd8e5c4b36
-
SHA1
6bf1d27345660089c1bbf1e71f58674e684c5d14
-
SHA256
32173afb83cbc7c35e4b7c70ca3bdfb64155ce5da72d0fc359c4a0cd2096d7c8
-
SHA512
75c8ce5234070a6ee08fb41f316bd71776b3b58f9e43e3f4b544732c197a27b5c9d9172632894090b6af7f3f52fdac8efabe8baf41eb855ac817ad34980dbef6
-
SSDEEP
12288:Ng5pBHxXptbN5ZRgOiBjw/C0AWzFjys4H:0H7tbrbIBjwuWR+sE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe -
Pykspa family
-
UAC bypass 3 TTPs 41 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001100000002ad11-5.dat family_pykspa behavioral2/files/0x001900000002b35d-115.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tfuiujxexovzno = "extohdymmkyjemedexqmh.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wfrclximcqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" ehnsv.exe -
Disables RegEdit via registry modification 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ehnsv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ehnsv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe -
Executes dropped EXE 64 IoCs
pid Process 4188 vzaljrgxfjk.exe 3836 extohdymmkyjemedexqmh.exe 2956 extohdymmkyjemedexqmh.exe 3712 vzaljrgxfjk.exe 5160 ixpgvneokeovmqezw.exe 5032 phcwojdqpmzjdkbzzrje.exe 2356 vzaljrgxfjk.exe 4436 phcwojdqpmzjdkbzzrje.exe 5616 bpgwkbravoxdtwjd.exe 2696 vzaljrgxfjk.exe 424 ctngxrkwuqclekaxwne.exe 1052 ctngxrkwuqclekaxwne.exe 2964 vzaljrgxfjk.exe 4640 ehnsv.exe 6104 ehnsv.exe 3748 rhasibtebwhphmbxvl.exe 6064 ctngxrkwuqclekaxwne.exe 4780 rhasibtebwhphmbxvl.exe 5584 ixpgvneokeovmqezw.exe 1960 vzaljrgxfjk.exe 3824 vzaljrgxfjk.exe 3492 rhasibtebwhphmbxvl.exe 6128 bpgwkbravoxdtwjd.exe 1784 phcwojdqpmzjdkbzzrje.exe 5740 bpgwkbravoxdtwjd.exe 2884 vzaljrgxfjk.exe 2984 rhasibtebwhphmbxvl.exe 2272 ixpgvneokeovmqezw.exe 888 extohdymmkyjemedexqmh.exe 124 extohdymmkyjemedexqmh.exe 1956 vzaljrgxfjk.exe 3756 vzaljrgxfjk.exe 5948 extohdymmkyjemedexqmh.exe 5452 phcwojdqpmzjdkbzzrje.exe 5512 vzaljrgxfjk.exe 4580 rhasibtebwhphmbxvl.exe 1220 rhasibtebwhphmbxvl.exe 5460 vzaljrgxfjk.exe 4692 ctngxrkwuqclekaxwne.exe 4420 vzaljrgxfjk.exe 4936 ixpgvneokeovmqezw.exe 4136 vzaljrgxfjk.exe 2720 rhasibtebwhphmbxvl.exe 824 rhasibtebwhphmbxvl.exe 5036 ctngxrkwuqclekaxwne.exe 4900 vzaljrgxfjk.exe 3444 ixpgvneokeovmqezw.exe 5344 vzaljrgxfjk.exe 4972 ctngxrkwuqclekaxwne.exe 576 bpgwkbravoxdtwjd.exe 4072 vzaljrgxfjk.exe 5128 extohdymmkyjemedexqmh.exe 5248 rhasibtebwhphmbxvl.exe 3056 vzaljrgxfjk.exe 4104 phcwojdqpmzjdkbzzrje.exe 3476 ctngxrkwuqclekaxwne.exe 4672 extohdymmkyjemedexqmh.exe 2628 bpgwkbravoxdtwjd.exe 1960 rhasibtebwhphmbxvl.exe 5656 phcwojdqpmzjdkbzzrje.exe 3492 phcwojdqpmzjdkbzzrje.exe 472 vzaljrgxfjk.exe 5848 bpgwkbravoxdtwjd.exe 5992 extohdymmkyjemedexqmh.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ehnsv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ehnsv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ehnsv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ehnsv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ehnsv.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ehnsv.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgwkbravoxdtwjd.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "ixpgvneokeovmqezw.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "bpgwkbravoxdtwjd.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "rhasibtebwhphmbxvl.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "extohdymmkyjemedexqmh.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "extohdymmkyjemedexqmh.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "extohdymmkyjemedexqmh.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhasibtebwhphmbxvl.exe" ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngxrkwuqclekaxwne.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "rhasibtebwhphmbxvl.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "ixpgvneokeovmqezw.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "ctngxrkwuqclekaxwne.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "ctngxrkwuqclekaxwne.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "rhasibtebwhphmbxvl.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "extohdymmkyjemedexqmh.exe" ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngxrkwuqclekaxwne.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "bpgwkbravoxdtwjd.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "ixpgvneokeovmqezw.exe ." ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "extohdymmkyjemedexqmh.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "extohdymmkyjemedexqmh.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "phcwojdqpmzjdkbzzrje.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "ctngxrkwuqclekaxwne.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "extohdymmkyjemedexqmh.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "extohdymmkyjemedexqmh.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extohdymmkyjemedexqmh.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhasibtebwhphmbxvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgwkbravoxdtwjd.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "rhasibtebwhphmbxvl.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "bpgwkbravoxdtwjd.exe" ehnsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpgvneokeovmqezw.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "ixpgvneokeovmqezw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sdrepdqwoekna = "phcwojdqpmzjdkbzzrje.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tdqcmzlqhwbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "extohdymmkyjemedexqmh.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ixpgvneokeovmqezw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcwojdqpmzjdkbzzrje.exe ." ehnsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bpgwkbravoxdtwjd = "ctngxrkwuqclekaxwne.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\wjzobrgoiainceq = "rhasibtebwhphmbxvl.exe" ehnsv.exe -
Checks whether UAC is enabled 1 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ehnsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ehnsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ehnsv.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.everdot.org 1 whatismyipaddress.com 1 www.showmyipaddress.com 1 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf ehnsv.exe File opened for modification C:\autorun.inf ehnsv.exe File created C:\autorun.inf ehnsv.exe File opened for modification F:\autorun.inf ehnsv.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe ehnsv.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe ehnsv.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe ehnsv.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe ehnsv.exe File opened for modification C:\Windows\SysWOW64\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\vpmiczvklkzlhqjjlfzwsm.exe ehnsv.exe File opened for modification C:\Windows\SysWOW64\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\fdeecddwbexnnaxbhfdeec.dwb ehnsv.exe File created C:\Program Files (x86)\fdeecddwbexnnaxbhfdeec.dwb ehnsv.exe File opened for modification C:\Program Files (x86)\wfrclximcquvgembsbkwhqcnrhvzaljrg.gpb ehnsv.exe File created C:\Program Files (x86)\wfrclximcquvgembsbkwhqcnrhvzaljrg.gpb ehnsv.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe ehnsv.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe ehnsv.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File created C:\Windows\wfrclximcquvgembsbkwhqcnrhvzaljrg.gpb ehnsv.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe ehnsv.exe File opened for modification C:\Windows\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wfrclximcquvgembsbkwhqcnrhvzaljrg.gpb ehnsv.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe ehnsv.exe File opened for modification C:\Windows\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\rhasibtebwhphmbxvl.exe vzaljrgxfjk.exe File opened for modification C:\Windows\bpgwkbravoxdtwjd.exe vzaljrgxfjk.exe File opened for modification C:\Windows\phcwojdqpmzjdkbzzrje.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ctngxrkwuqclekaxwne.exe vzaljrgxfjk.exe File opened for modification C:\Windows\extohdymmkyjemedexqmh.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\ixpgvneokeovmqezw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\vpmiczvklkzlhqjjlfzwsm.exe vzaljrgxfjk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpgwkbravoxdtwjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctngxrkwuqclekaxwne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixpgvneokeovmqezw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhasibtebwhphmbxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phcwojdqpmzjdkbzzrje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extohdymmkyjemedexqmh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 4640 ehnsv.exe 4640 ehnsv.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 4640 ehnsv.exe 4640 ehnsv.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4640 ehnsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 4188 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 78 PID 1424 wrote to memory of 4188 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 78 PID 1424 wrote to memory of 4188 1424 JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe 78 PID 3172 wrote to memory of 3836 3172 cmd.exe 81 PID 3172 wrote to memory of 3836 3172 cmd.exe 81 PID 3172 wrote to memory of 3836 3172 cmd.exe 81 PID 2720 wrote to memory of 2956 2720 cmd.exe 84 PID 2720 wrote to memory of 2956 2720 cmd.exe 84 PID 2720 wrote to memory of 2956 2720 cmd.exe 84 PID 2956 wrote to memory of 3712 2956 extohdymmkyjemedexqmh.exe 85 PID 2956 wrote to memory of 3712 2956 extohdymmkyjemedexqmh.exe 85 PID 2956 wrote to memory of 3712 2956 extohdymmkyjemedexqmh.exe 85 PID 5824 wrote to memory of 5160 5824 cmd.exe 88 PID 5824 wrote to memory of 5160 5824 cmd.exe 88 PID 5824 wrote to memory of 5160 5824 cmd.exe 88 PID 2256 wrote to memory of 5032 2256 cmd.exe 93 PID 2256 wrote to memory of 5032 2256 cmd.exe 93 PID 2256 wrote to memory of 5032 2256 cmd.exe 93 PID 5032 wrote to memory of 2356 5032 phcwojdqpmzjdkbzzrje.exe 96 PID 5032 wrote to memory of 2356 5032 phcwojdqpmzjdkbzzrje.exe 96 PID 5032 wrote to memory of 2356 5032 phcwojdqpmzjdkbzzrje.exe 96 PID 5244 wrote to memory of 4436 5244 cmd.exe 97 PID 5244 wrote to memory of 4436 5244 cmd.exe 97 PID 5244 wrote to memory of 4436 5244 cmd.exe 97 PID 4148 wrote to memory of 5616 4148 cmd.exe 98 PID 4148 wrote to memory of 5616 4148 cmd.exe 98 PID 4148 wrote to memory of 5616 4148 cmd.exe 98 PID 5616 wrote to memory of 2696 5616 bpgwkbravoxdtwjd.exe 100 PID 5616 wrote to memory of 2696 5616 bpgwkbravoxdtwjd.exe 100 PID 5616 wrote to memory of 2696 5616 bpgwkbravoxdtwjd.exe 100 PID 1140 wrote to memory of 424 1140 cmd.exe 102 PID 1140 wrote to memory of 424 1140 cmd.exe 102 PID 1140 wrote to memory of 424 1140 cmd.exe 102 PID 3868 wrote to memory of 1052 3868 cmd.exe 105 PID 3868 wrote to memory of 1052 3868 cmd.exe 105 PID 3868 wrote to memory of 1052 3868 cmd.exe 105 PID 1052 wrote to memory of 2964 1052 ctngxrkwuqclekaxwne.exe 106 PID 1052 wrote to memory of 2964 1052 ctngxrkwuqclekaxwne.exe 106 PID 1052 wrote to memory of 2964 1052 ctngxrkwuqclekaxwne.exe 106 PID 4188 wrote to memory of 4640 4188 vzaljrgxfjk.exe 107 PID 4188 wrote to memory of 4640 4188 vzaljrgxfjk.exe 107 PID 4188 wrote to memory of 4640 4188 vzaljrgxfjk.exe 107 PID 4188 wrote to memory of 6104 4188 vzaljrgxfjk.exe 108 PID 4188 wrote to memory of 6104 4188 vzaljrgxfjk.exe 108 PID 4188 wrote to memory of 6104 4188 vzaljrgxfjk.exe 108 PID 3560 wrote to memory of 3748 3560 cmd.exe 113 PID 3560 wrote to memory of 3748 3560 cmd.exe 113 PID 3560 wrote to memory of 3748 3560 cmd.exe 113 PID 4876 wrote to memory of 6064 4876 cmd.exe 114 PID 4876 wrote to memory of 6064 4876 cmd.exe 114 PID 4876 wrote to memory of 6064 4876 cmd.exe 114 PID 5760 wrote to memory of 4780 5760 cmd.exe 119 PID 5760 wrote to memory of 4780 5760 cmd.exe 119 PID 5760 wrote to memory of 4780 5760 cmd.exe 119 PID 5444 wrote to memory of 5584 5444 cmd.exe 120 PID 5444 wrote to memory of 5584 5444 cmd.exe 120 PID 5444 wrote to memory of 5584 5444 cmd.exe 120 PID 4780 wrote to memory of 1960 4780 rhasibtebwhphmbxvl.exe 220 PID 4780 wrote to memory of 1960 4780 rhasibtebwhphmbxvl.exe 220 PID 4780 wrote to memory of 1960 4780 rhasibtebwhphmbxvl.exe 220 PID 5584 wrote to memory of 3824 5584 ixpgvneokeovmqezw.exe 130 PID 5584 wrote to memory of 3824 5584 ixpgvneokeovmqezw.exe 130 PID 5584 wrote to memory of 3824 5584 ixpgvneokeovmqezw.exe 130 PID 5468 wrote to memory of 3492 5468 cmd.exe 224 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ehnsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ehnsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\ehnsv.exe"C:\Users\Admin\AppData\Local\Temp\ehnsv.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\ehnsv.exe"C:\Users\Admin\AppData\Local\Temp\ehnsv.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c0a5c6a1916f592a00e891fd8e5c4b36.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- System policy modification
PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵
- Executes dropped EXE
PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵
- Executes dropped EXE
PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Executes dropped EXE
PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Executes dropped EXE
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵
- Executes dropped EXE
PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5760 -
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵
- Executes dropped EXE
PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5444 -
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵
- Executes dropped EXE
PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5468 -
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:3036
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵
- Executes dropped EXE
PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:4664
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- Executes dropped EXE
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵
- Executes dropped EXE
PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:3456
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- Executes dropped EXE
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵
- Executes dropped EXE
PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:124 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵
- Executes dropped EXE
PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵
- Executes dropped EXE
PID:888 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵
- Executes dropped EXE
PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵
- Executes dropped EXE
PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵
- Executes dropped EXE
PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- Executes dropped EXE
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Executes dropped EXE
PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1552
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:4212
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵
- Executes dropped EXE
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵
- Executes dropped EXE
PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:3712
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:5880
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- Executes dropped EXE
PID:824 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Executes dropped EXE
PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- Executes dropped EXE
PID:576 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2468
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵
- Executes dropped EXE
PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:3140
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- Executes dropped EXE
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵
- Executes dropped EXE
PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:3984
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵
- Executes dropped EXE
PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:2276
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵
- Executes dropped EXE
PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5944
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:2820
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵
- Executes dropped EXE
PID:472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:1988
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:4876
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2068
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵
- Executes dropped EXE
PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:3024
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3136
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3048
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1372
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:3996
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:2020
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:4996
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:580
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:2420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:4392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3056
-
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:2992
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:3176
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:1164
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:4872
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:4780
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:5252
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3756
-
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:3040
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:1388
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:4892
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:2784
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:6024
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:5088
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:5140
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3740
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:5944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:1948
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:4508
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:1656
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:4816
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:1956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:2816
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:2684
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:132
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:2032
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:5644
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1408
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:2648
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:5048
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5060
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:5604
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:1620
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:1672
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:5344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:5620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:472 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:848
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:5368
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:752
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:5760
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:1788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:4060
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:3136
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:1244
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:940
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:2068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:3980
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:5204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:5384
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:5028
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:3624
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:1844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5792
-
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:576
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:5128
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:5152
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:4668
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:4508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5656
-
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:6128
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:2952
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:664 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:6088
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:4080
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:1244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:4692
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3744
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:4912
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:4228
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2360
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:3804
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:5036
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:5636
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:2124
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:1812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5944
-
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:1676
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:3356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:4104
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:6048
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2208
-
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:3880
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:2064
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:6088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:1388
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:4912
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5880
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:4652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3980
-
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:3512
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3740
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:2932
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:5636
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:1916
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:4672
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:4104
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:3432
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:664 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:3500
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:2788
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:3892
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:1964
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:124
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2512
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:5060
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:2152
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:5024
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:5100
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:5728
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:5944
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:4376
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:3832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3960
-
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:1948
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:1936
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:8
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:648
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:4384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2948
-
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3348
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:5988
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1472
-
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:3540
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:5396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:1900
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:440
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:5660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:944
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:5652
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:5152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1812
-
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:5912
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:6048
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:1788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1784
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:3436
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:6132
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:5424
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:5240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:2860
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:1776
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:1976
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe .1⤵PID:2904
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\bpgwkbravoxdtwjd.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5784
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:2356
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5104
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:424
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:2208
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:1556
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2388
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:4124
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:1628
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:3144
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:5948
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:2416
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:1408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6120
-
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:1900
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:4912
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:980
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:440
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1296
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:4988
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:3804
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3392
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:4712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2740
-
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:4716
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:3628
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:5692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:2260
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3048
-
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:4484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5800
-
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:3172
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:5460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3348
-
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:4132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:3120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .1⤵PID:2860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe .2⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\extohdymmkyjemedexqmh.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:1312
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:2376
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:1460
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe .1⤵PID:2500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5068
-
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe .2⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ctngxrkwuqclekaxwne.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe .2⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ixpgvneokeovmqezw.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:2020
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:4424
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe1⤵PID:2964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2976
-
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:4564
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\rhasibtebwhphmbxvl.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:1248
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:3868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe .1⤵PID:1784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4320
-
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe .2⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe1⤵PID:4048
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:1956
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpgwkbravoxdtwjd.exe1⤵PID:4868
-
C:\Windows\bpgwkbravoxdtwjd.exebpgwkbravoxdtwjd.exe2⤵PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:5708
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:5396
-
C:\Windows\ctngxrkwuqclekaxwne.exectngxrkwuqclekaxwne.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ixpgvneokeovmqezw.exe .1⤵PID:5672
-
C:\Windows\ixpgvneokeovmqezw.exeixpgvneokeovmqezw.exe .2⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\ixpgvneokeovmqezw.exe*."3⤵PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe1⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exeC:\Users\Admin\AppData\Local\Temp\extohdymmkyjemedexqmh.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exeC:\Users\Admin\AppData\Local\Temp\ixpgvneokeovmqezw.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exeC:\Users\Admin\AppData\Local\Temp\phcwojdqpmzjdkbzzrje.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\phcwojdqpmzjdkbzzrje.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe1⤵PID:4108
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c extohdymmkyjemedexqmh.exe .1⤵PID:3008
-
C:\Windows\extohdymmkyjemedexqmh.exeextohdymmkyjemedexqmh.exe .2⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\extohdymmkyjemedexqmh.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c phcwojdqpmzjdkbzzrje.exe1⤵PID:5036
-
C:\Windows\phcwojdqpmzjdkbzzrje.exephcwojdqpmzjdkbzzrje.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rhasibtebwhphmbxvl.exe .1⤵PID:2188
-
C:\Windows\rhasibtebwhphmbxvl.exerhasibtebwhphmbxvl.exe .2⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\rhasibtebwhphmbxvl.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exeC:\Users\Admin\AppData\Local\Temp\rhasibtebwhphmbxvl.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .1⤵PID:5824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\ctngxrkwuqclekaxwne.exe*."3⤵PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exeC:\Users\Admin\AppData\Local\Temp\ctngxrkwuqclekaxwne.exe2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .1⤵PID:4712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exeC:\Users\Admin\AppData\Local\Temp\bpgwkbravoxdtwjd.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\bpgwkbravoxdtwjd.exe*."3⤵PID:424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctngxrkwuqclekaxwne.exe1⤵PID:2744
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD595f1567b8c2f39854ef2a85fea7f0312
SHA160beec1dc4badf2405275858c9511c58df90ac14
SHA2565792f7052c6f24e55f2e4bc66626d4ba9f66e984ce78e4a80dd6d6e3f60beb39
SHA51210336644cf7cb0ee7a877d697e2beb3eeb6ff27fc071c6804afb9a35205027a608adf57dcaa9bbcd167a208a70fbfc04e3b0afda846f070500721d32b8f2ac3a
-
Filesize
272B
MD536a8eaad612ea741e2c5ece0d39209d0
SHA17535b01f25639f7665f176c19f24338d41955807
SHA25622bb391fe7d7cc34c37bff89bb8771d33d32543e618a195ade1ef1013d8ae67f
SHA5129ba3cffce619255ddcdc834060d81c3e0abacf3037aa3c6e7a160793ec50d65124255b72813f0fb9345a97c61edb494bd8984194d5fd8e81c7020ba88e1aae9a
-
Filesize
272B
MD51dc5a5716b251634c7fcce324eafbe4f
SHA18fe279350e03a374265aabb618d9bd229ad7da42
SHA256f1eff57c0ecb4f27bb9d80c9518c4695d435e3a58e4d6c5072131533c2d9b2e9
SHA512b08263d78597fa71f4e4a47c53dca499cfeac25ccb7debab58f57f8eef485665cfdbf0309c60e5e730800467dd2f47572a6c185102ae6fb19003f65327800ab9
-
Filesize
272B
MD5ccbe3d50385b747c19d473828b8b1b3f
SHA10cf107aa77c0d01b7dc76355c98c0c555834cfe1
SHA256db0082f251d2bbe18922f7cfcd8cfe38e312e14abd9144fc296d27c3f8b205b2
SHA51204690e680d7216848a7348b737bb782a67438d0911b9265187b5cd347f35f2557a65a277b95c8609feb3702e6b3470edb506b7484fe30b440ce2f45d15b15112
-
Filesize
272B
MD5c40d7df93369c6ee19152cd6322271ed
SHA1a98f60c471a7179950c5f7cf8494bdd41eb0a802
SHA2565fd4412fe7cf895a9d97e456fa14e3769ebbd9f372aeacdcda5662b469b7dc58
SHA512b1a01a7e212be60469bc1f0815d11f263c431810b7497c38527c07dc94cdbf2f3396df443eb42f92dcde81bfda9861ac524f0605e9a3c26bca83a4c0340e14f5
-
Filesize
272B
MD5a1726c21271773122d2ced5cf413cc46
SHA127be3e8de15ce2d8124bab0f9f8f815e6289379c
SHA256de01b6047784000628fd13b546e777017e56e77210bb099802a4b95c3ad18be1
SHA5120d8181036944c4bdecfca00ad4eb8ecb334d0fac3a9bf28e4912888ce86f8749855aaf0d9414b70d4fd26521feaa40f8d4b3a9d1a8e079c4c25a73e3e5155aef
-
Filesize
272B
MD56331a3221584e2eeb8dea47a42c24b04
SHA1360bde151cc4240fe64f8d4bcc1fdd2478ae8b9f
SHA256d4a966d4e8f99ee0bc5b4bbadb9bc7e2463aeaa78c3a818bf71070d3423ce9fd
SHA51219352b915ddf1e0e421717c5f71136292ebb05f38c03dde7d5aa43f04112f4d1e899bf23e0a275ab590adb401b8e7dc69767712cd9b28ffb99b135d5d858857e
-
Filesize
704KB
MD5243375f59d241de2599f96a2d2a981e6
SHA163ace0e1d77d2194065fee1a491691d9019d7844
SHA256f00fad1fb2043952e62a851f08e5da302225810b3e1cde7380c650cd599fca33
SHA512a5bf934d46d6c26f2c986bf78e8f797bd551b42a980476c4e29bfd5d52d0f345017662df3de27230a94844239641dc0cee610887171ed79e4d1eff03c556f854
-
Filesize
320KB
MD5eb09c682903ecbd87f30b0366e008d8f
SHA159b0dc27c06ce536327490439a37751a3dbd5e38
SHA256c4b122f7bab30363b472a3dffb8a7c61604c0ec4719ebd233ccbac8be0951be1
SHA51283236c0955b81375666c10445d2cf5e4723b24e42e4ee5fb951f53945483be2fff5c8ef167f08cfad3accc162c61e750bb1039edbf09e26afe18cba2f994eb5d
-
Filesize
272B
MD580c95ee800ee31f3890883753740bec6
SHA1c0baabb85257555d79fe13008a2c6d2aaf228d34
SHA256e29a3ec176d01fcbf44126eb1287e0e0c8e8a675f4141d83f7333ad6c393ee84
SHA512724329076cf1d299e313165cc529168b90fc354babc4c9cbd44b5d48a1265d365e139c0a0bf245eacfb0eeeb75255b7e13de0bec672e59f029e84fd0784938df
-
Filesize
3KB
MD54074d34fb991cded5080de3710bc5aba
SHA16dd5b930e0170ea1b22bb2dbf36c5fb577064f80
SHA256cea18ca806f9fe0ca9b0b6cba0e96b652300b67b1e011da5bd0e098a8601c2dc
SHA51204005ac21812547a67a8f654236819bc15ba563df870cb5c4fd72c4d015c1d7bb14e4b0346e043e0acd3b48e0e7c1d8172e8915f9bde4c53695a396051de3b9b
-
Filesize
860KB
MD5c0a5c6a1916f592a00e891fd8e5c4b36
SHA16bf1d27345660089c1bbf1e71f58674e684c5d14
SHA25632173afb83cbc7c35e4b7c70ca3bdfb64155ce5da72d0fc359c4a0cd2096d7c8
SHA51275c8ce5234070a6ee08fb41f316bd71776b3b58f9e43e3f4b544732c197a27b5c9d9172632894090b6af7f3f52fdac8efabe8baf41eb855ac817ad34980dbef6