Analysis
-
max time kernel
49s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/04/2025, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe
-
Size
680KB
-
MD5
c1c90ccb7f44badc91ec2859323fcde2
-
SHA1
0bc90e1a338997eb95cae02f0250a8678d8f25e4
-
SHA256
c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43
-
SHA512
464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08
-
SSDEEP
12288:XIX6gtvm1De5YlOx6lzBH46UVqqVpCyXJ:Xu81yMBbyb3XJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vzaljrgxfjk.exe -
Pykspa family
-
UAC bypass 3 TTPs 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001100000002ad11-4.dat family_pykspa behavioral2/files/0x001900000002b14b-104.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "tieuevqhvjentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "tieuevqhvjentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "wqrmbxxtmfftezhzyzkef.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "wqrmbxxtmfftezhzyzkef.exe" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "tieuevqhvjentjmz.exe" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlerljduljvexdtqpy.exe" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "tieuevqhvjentjmz.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crnphytuldftezhzyzqfb.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "haauidcxphgtdxevttdw.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nnuhkm = "nbwxoeyyofgtdxevttjx.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "haauidcxphgtdxevttdw.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nnuhkm = "pbutiwomapozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aixgjthry = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmyeel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" uanuvdp.exe -
Disables RegEdit via registry modification 25 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uanuvdp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uanuvdp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uanuvdp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uanuvdp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe -
Executes dropped EXE 64 IoCs
pid Process 5460 vzaljrgxfjk.exe 3692 jayqcvslbrozhzetpn.exe 4964 umlerljduljvexdtqpy.exe 4292 vzaljrgxfjk.exe 1212 aqnephdvkzvfmdhvq.exe 2212 jayqcvslbrozhzetpn.exe 4484 aqnephdvkzvfmdhvq.exe 2476 vzaljrgxfjk.exe 1420 wqrmbxxtmfftezhzyzkef.exe 5128 vzaljrgxfjk.exe 5456 jayqcvslbrozhzetpn.exe 3404 aqnephdvkzvfmdhvq.exe 4416 vzaljrgxfjk.exe 556 uanuvdp.exe 2876 uanuvdp.exe 5856 haauidcxphgtdxevttdw.exe 5488 haauidcxphgtdxevttdw.exe 1084 umlerljduljvexdtqpy.exe 2636 haauidcxphgtdxevttdw.exe 652 vzaljrgxfjk.exe 5760 vzaljrgxfjk.exe 2684 tieuevqhvjentjmz.exe 728 jayqcvslbrozhzetpn.exe 5964 tieuevqhvjentjmz.exe 5400 jayqcvslbrozhzetpn.exe 5296 tieuevqhvjentjmz.exe 5320 vzaljrgxfjk.exe 3216 umlerljduljvexdtqpy.exe 4648 aqnephdvkzvfmdhvq.exe 4796 wqrmbxxtmfftezhzyzkef.exe 2460 vzaljrgxfjk.exe 1576 vzaljrgxfjk.exe 1152 haauidcxphgtdxevttdw.exe 436 vzaljrgxfjk.exe 5656 tieuevqhvjentjmz.exe 4688 wqrmbxxtmfftezhzyzkef.exe 2068 aqnephdvkzvfmdhvq.exe 4936 umlerljduljvexdtqpy.exe 5272 vzaljrgxfjk.exe 1132 tieuevqhvjentjmz.exe 4976 vzaljrgxfjk.exe 3672 vzaljrgxfjk.exe 2380 umlerljduljvexdtqpy.exe 432 haauidcxphgtdxevttdw.exe 3208 vzaljrgxfjk.exe 5548 jayqcvslbrozhzetpn.exe 3244 haauidcxphgtdxevttdw.exe 1420 vzaljrgxfjk.exe 5028 jayqcvslbrozhzetpn.exe 4356 tieuevqhvjentjmz.exe 2832 vzaljrgxfjk.exe 4416 tieuevqhvjentjmz.exe 2464 tieuevqhvjentjmz.exe 5440 vzaljrgxfjk.exe 3176 haauidcxphgtdxevttdw.exe 5956 tieuevqhvjentjmz.exe 5848 aqnephdvkzvfmdhvq.exe 1340 vzaljrgxfjk.exe 1812 aqnephdvkzvfmdhvq.exe 4352 tieuevqhvjentjmz.exe 5168 tieuevqhvjentjmz.exe 4792 jayqcvslbrozhzetpn.exe 1076 umlerljduljvexdtqpy.exe 788 vzaljrgxfjk.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager uanuvdp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys uanuvdp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc uanuvdp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power uanuvdp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys uanuvdp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc uanuvdp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "jayqcvslbrozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "tieuevqhvjentjmz.exe ." uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlerljduljvexdtqpy.exe ." uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gjtjpudsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbwxoeyyofgtdxevttjx.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "aqnephdvkzvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "haauidcxphgtdxevttdw.exe" uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "wqrmbxxtmfftezhzyzkef.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "aqnephdvkzvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe ." uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "tieuevqhvjentjmz.exe" uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "umlerljduljvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe ." uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "wqrmbxxtmfftezhzyzkef.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "umlerljduljvexdtqpy.exe" uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "umlerljduljvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trwh = "nbwxoeyyofgtdxevttjx.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "umlerljduljvexdtqpy.exe ." uanuvdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "wqrmbxxtmfftezhzyzkef.exe ." uanuvdp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cbhtv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbutiwomapozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "umlerljduljvexdtqpy.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "jayqcvslbrozhzetpn.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trwh = "anhhxmfetjjvexdtqpe.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "umlerljduljvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oypafrhtclb = "tieuevqhvjentjmz.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwpcjxpdozrxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umlerljduljvexdtqpy.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcscgrgrzh = "haauidcxphgtdxevttdw.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwoagtkxhrin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqrmbxxtmfftezhzyzkef.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqnephdvkzvfmdhvq.exe ." vzaljrgxfjk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\uanuvdp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jayqcvslbrozhzetpn.exe" vzaljrgxfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqemoxkt = "jayqcvslbrozhzetpn.exe ." vzaljrgxfjk.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA uanuvdp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vzaljrgxfjk.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vzaljrgxfjk.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyip.everdot.org 1 whatismyipaddress.com 1 www.showmyipaddress.com 1 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\aqnephdvkzvfmdhvq.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File created C:\Windows\SysWOW64\tieuevqhvjentjmztpvkgwgxsjxlgpvlobvrxm.yiz uanuvdp.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmztpvkgwgxsjxlgpvlobvrxm.yiz uanuvdp.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\SysWOW64\haauidcxphgtdxevttdw.exe uanuvdp.exe File opened for modification C:\Windows\SysWOW64\tieuevqhvjentjmz.exe vzaljrgxfjk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\walqpvflorbzuzrtcnimxcbhrxa.nlg uanuvdp.exe File created C:\Program Files (x86)\walqpvflorbzuzrtcnimxcbhrxa.nlg uanuvdp.exe File opened for modification C:\Program Files (x86)\tieuevqhvjentjmztpvkgwgxsjxlgpvlobvrxm.yiz uanuvdp.exe File created C:\Program Files (x86)\tieuevqhvjentjmztpvkgwgxsjxlgpvlobvrxm.yiz uanuvdp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe uanuvdp.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe uanuvdp.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe uanuvdp.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe uanuvdp.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe uanuvdp.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe uanuvdp.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\haauidcxphgtdxevttdw.exe vzaljrgxfjk.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmz.exe vzaljrgxfjk.exe File opened for modification C:\Windows\umlerljduljvexdtqpy.exe vzaljrgxfjk.exe File opened for modification C:\Windows\aqnephdvkzvfmdhvq.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe File opened for modification C:\Windows\jayqcvslbrozhzetpn.exe vzaljrgxfjk.exe File opened for modification C:\Windows\tieuevqhvjentjmztpvkgwgxsjxlgpvlobvrxm.yiz uanuvdp.exe File opened for modification C:\Windows\wqrmbxxtmfftezhzyzkef.exe vzaljrgxfjk.exe File opened for modification C:\Windows\nikgwturlfgvhdmffhtoqm.exe vzaljrgxfjk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crnphytuldftezhzyzqfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grjhvizwjxvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbhtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crnphytuldftezhzyzqfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbutiwomapozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jayqcvslbrozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uanuvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zjaxkwmiuhentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jayqcvslbrozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jayqcvslbrozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jayqcvslbrozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlerljduljvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbwxoeyyofgtdxevttjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbwxoeyyofgtdxevttjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grjhvizwjxvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbutiwomapozhzetpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uanuvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlerljduljvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlerljduljvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umlerljduljvexdtqpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tieuevqhvjentjmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haauidcxphgtdxevttdw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grjhvizwjxvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wqrmbxxtmfftezhzyzkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqnephdvkzvfmdhvq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2876 uanuvdp.exe 2876 uanuvdp.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 2876 uanuvdp.exe 2876 uanuvdp.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2876 uanuvdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1004 wrote to memory of 5460 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 79 PID 1004 wrote to memory of 5460 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 79 PID 1004 wrote to memory of 5460 1004 JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe 79 PID 956 wrote to memory of 3692 956 cmd.exe 82 PID 956 wrote to memory of 3692 956 cmd.exe 82 PID 956 wrote to memory of 3692 956 cmd.exe 82 PID 4920 wrote to memory of 4964 4920 cmd.exe 85 PID 4920 wrote to memory of 4964 4920 cmd.exe 85 PID 4920 wrote to memory of 4964 4920 cmd.exe 85 PID 4964 wrote to memory of 4292 4964 umlerljduljvexdtqpy.exe 86 PID 4964 wrote to memory of 4292 4964 umlerljduljvexdtqpy.exe 86 PID 4964 wrote to memory of 4292 4964 umlerljduljvexdtqpy.exe 86 PID 3052 wrote to memory of 1212 3052 cmd.exe 89 PID 3052 wrote to memory of 1212 3052 cmd.exe 89 PID 3052 wrote to memory of 1212 3052 cmd.exe 89 PID 1508 wrote to memory of 2212 1508 cmd.exe 92 PID 1508 wrote to memory of 2212 1508 cmd.exe 92 PID 1508 wrote to memory of 2212 1508 cmd.exe 92 PID 2264 wrote to memory of 4484 2264 cmd.exe 95 PID 2264 wrote to memory of 4484 2264 cmd.exe 95 PID 2264 wrote to memory of 4484 2264 cmd.exe 95 PID 2212 wrote to memory of 2476 2212 jayqcvslbrozhzetpn.exe 96 PID 2212 wrote to memory of 2476 2212 jayqcvslbrozhzetpn.exe 96 PID 2212 wrote to memory of 2476 2212 jayqcvslbrozhzetpn.exe 96 PID 5028 wrote to memory of 1420 5028 cmd.exe 99 PID 5028 wrote to memory of 1420 5028 cmd.exe 99 PID 5028 wrote to memory of 1420 5028 cmd.exe 99 PID 1420 wrote to memory of 5128 1420 wqrmbxxtmfftezhzyzkef.exe 100 PID 1420 wrote to memory of 5128 1420 wqrmbxxtmfftezhzyzkef.exe 100 PID 1420 wrote to memory of 5128 1420 wqrmbxxtmfftezhzyzkef.exe 100 PID 2364 wrote to memory of 5456 2364 cmd.exe 103 PID 2364 wrote to memory of 5456 2364 cmd.exe 103 PID 2364 wrote to memory of 5456 2364 cmd.exe 103 PID 416 wrote to memory of 3404 416 cmd.exe 106 PID 416 wrote to memory of 3404 416 cmd.exe 106 PID 416 wrote to memory of 3404 416 cmd.exe 106 PID 3404 wrote to memory of 4416 3404 aqnephdvkzvfmdhvq.exe 107 PID 3404 wrote to memory of 4416 3404 aqnephdvkzvfmdhvq.exe 107 PID 3404 wrote to memory of 4416 3404 aqnephdvkzvfmdhvq.exe 107 PID 5460 wrote to memory of 556 5460 vzaljrgxfjk.exe 108 PID 5460 wrote to memory of 556 5460 vzaljrgxfjk.exe 108 PID 5460 wrote to memory of 556 5460 vzaljrgxfjk.exe 108 PID 5460 wrote to memory of 2876 5460 vzaljrgxfjk.exe 109 PID 5460 wrote to memory of 2876 5460 vzaljrgxfjk.exe 109 PID 5460 wrote to memory of 2876 5460 vzaljrgxfjk.exe 109 PID 1468 wrote to memory of 5856 1468 cmd.exe 112 PID 1468 wrote to memory of 5856 1468 cmd.exe 112 PID 1468 wrote to memory of 5856 1468 cmd.exe 112 PID 5324 wrote to memory of 5488 5324 cmd.exe 115 PID 5324 wrote to memory of 5488 5324 cmd.exe 115 PID 5324 wrote to memory of 5488 5324 cmd.exe 115 PID 2928 wrote to memory of 1084 2928 cmd.exe 118 PID 2928 wrote to memory of 1084 2928 cmd.exe 118 PID 2928 wrote to memory of 1084 2928 cmd.exe 118 PID 1092 wrote to memory of 2636 1092 cmd.exe 121 PID 1092 wrote to memory of 2636 1092 cmd.exe 121 PID 1092 wrote to memory of 2636 1092 cmd.exe 121 PID 1084 wrote to memory of 652 1084 umlerljduljvexdtqpy.exe 124 PID 1084 wrote to memory of 652 1084 umlerljduljvexdtqpy.exe 124 PID 1084 wrote to memory of 652 1084 umlerljduljvexdtqpy.exe 124 PID 2636 wrote to memory of 5760 2636 haauidcxphgtdxevttdw.exe 224 PID 2636 wrote to memory of 5760 2636 haauidcxphgtdxevttdw.exe 224 PID 2636 wrote to memory of 5760 2636 haauidcxphgtdxevttdw.exe 224 PID 3836 wrote to memory of 2684 3836 cmd.exe 128 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" uanuvdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vzaljrgxfjk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vzaljrgxfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" uanuvdp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" uanuvdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\uanuvdp.exe"C:\Users\Admin\AppData\Local\Temp\uanuvdp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\uanuvdp.exe"C:\Users\Admin\AppData\Local\Temp\uanuvdp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c1c90ccb7f44badc91ec2859323fcde2.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵
- Executes dropped EXE
PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵
- Executes dropped EXE
PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵
- Executes dropped EXE
PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵
- Executes dropped EXE
PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵
- Executes dropped EXE
PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵
- Executes dropped EXE
PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵
- Executes dropped EXE
PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:4876
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
PID:728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:3504
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
PID:5964 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:408
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵
- Executes dropped EXE
PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵
- Executes dropped EXE
PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵
- Executes dropped EXE
PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- Executes dropped EXE
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵
- Executes dropped EXE
PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵
- Executes dropped EXE
PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- Executes dropped EXE
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Executes dropped EXE
PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵
- Executes dropped EXE
PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵
- Executes dropped EXE
PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:4504
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:5584
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵
- Executes dropped EXE
PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:5776
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:5140
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵
- Executes dropped EXE
PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Executes dropped EXE
PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵
- Executes dropped EXE
PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:3936
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵
- Executes dropped EXE
PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:3260
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵
- Executes dropped EXE
PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:1804
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵
- Executes dropped EXE
PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:4056
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵
- Executes dropped EXE
PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:3160
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵
- Executes dropped EXE
PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:5984
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵
- Executes dropped EXE
PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- Executes dropped EXE
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵
- Executes dropped EXE
PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:5596
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:4768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5760
-
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵
- Executes dropped EXE
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:904
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:1228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:5400
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:1072
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:1548
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:668 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:1048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:5068
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:5684
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:5548
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:2408
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:2492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2464
-
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:5452
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:4828
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:5956
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:4420
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:5340
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:3252
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3756
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:3216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:436
-
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:5224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:1116
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:1476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3236
-
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:3172
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:4732
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:2912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:1036
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:4980
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:5064
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:3212
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4412
-
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:2480
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:3808
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:5812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5168
-
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:5984
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:3480
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3588
-
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:952
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:4836
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:5624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5788
-
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:1324
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:5840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5764
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:5704
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:1284
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:748
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:4520
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:2500
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4880
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:4056
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:5632
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:3808
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:2928
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System policy modification
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5468
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:6104
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3404
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3708
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5780
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5784
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3800
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5492
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5436
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:6072
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5876
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:5744
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:480
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\cbhtv.exe"C:\Users\Admin\AppData\Local\Temp\cbhtv.exe" "-c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe"4⤵PID:3196
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:3724
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe .1⤵PID:2612
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe .2⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\nbwxoeyyofgtdxevttjx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe1⤵PID:3228
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe2⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe .1⤵PID:3984
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\nbwxoeyyofgtdxevttjx.exe*."3⤵PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe .1⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\grjhvizwjxvfmdhvq.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:2568
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:4628
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:1532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵PID:5288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exeC:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\anhhxmfetjjvexdtqpe.exe*."3⤵PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:432
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:4528
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:5684
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:6068
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:5524
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:1344
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:2636
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe .1⤵PID:4644
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:700 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\nbwxoeyyofgtdxevttjx.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:5340
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c crnphytuldftezhzyzqfb.exe .1⤵PID:2920
-
C:\Windows\crnphytuldftezhzyzqfb.execrnphytuldftezhzyzqfb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\crnphytuldftezhzyzqfb.exe*."3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe1⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe2⤵
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exeC:\Users\Admin\AppData\Local\Temp\nbwxoeyyofgtdxevttjx.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\nbwxoeyyofgtdxevttjx.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:4508
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:5224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:3228
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:2416
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\pbutiwomapozhzetpn.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:5508
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:2852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:3076
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5064
-
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:1928
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:1056
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:2480
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:568
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:244
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:4128
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:4500
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:3180
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:3028
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3476
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:4088
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:2712
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:3332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:1436
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:1504
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:3400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:5928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:6008
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:5344
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:4332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:3032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:4340
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:1608
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:788
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3836
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:4544
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4348
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe1⤵PID:2236
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe2⤵PID:3180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:4480
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\grjhvizwjxvfmdhvq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe1⤵PID:1228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:744
-
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe .1⤵PID:2780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5840
-
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\anhhxmfetjjvexdtqpe.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe .1⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\grjhvizwjxvfmdhvq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\grjhvizwjxvfmdhvq.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:5404
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exeC:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:4496
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\pbutiwomapozhzetpn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\pbutiwomapozhzetpn.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:3768
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:5996
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:1212
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:1852
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:1220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:3140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5600
-
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:536
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:5480
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:3016
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:5960
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:2852
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:3372
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:3476
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:4932
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:2164
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:3244
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:2380
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:2000
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:2260
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:4828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4408
-
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:3404
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:1344
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:1992
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:4612
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:4172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:2616
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:3016
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:3236
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:1604
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:2372
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:6020
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:3340
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:3892
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:3768
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:1852
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:5308
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbutiwomapozhzetpn.exe1⤵PID:5296
-
C:\Windows\pbutiwomapozhzetpn.exepbutiwomapozhzetpn.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:5940
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:4600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:788
-
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\grjhvizwjxvfmdhvq.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\jayqcvslbrozhzetpn.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zjaxkwmiuhentjmz.exe1⤵PID:4616
-
C:\Windows\zjaxkwmiuhentjmz.exezjaxkwmiuhentjmz.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:5580
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\grjhvizwjxvfmdhvq.exe*."3⤵PID:876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:5628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exeC:\Users\Admin\AppData\Local\Temp\anhhxmfetjjvexdtqpe.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\zjaxkwmiuhentjmz.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exeC:\Users\Admin\AppData\Local\Temp\zjaxkwmiuhentjmz.exe2⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe .1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exeC:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\crnphytuldftezhzyzqfb.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:1568
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:4804
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:4816
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:2612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1424
-
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:6016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5104
-
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:5584
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:5476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:5180
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe .1⤵PID:1640
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\aqnephdvkzvfmdhvq.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:1760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:5084
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:832
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:5656
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:4128
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5340
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:5048
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:3376
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:6092
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe1⤵PID:3756
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe1⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:2616
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:1080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5784
-
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:4268
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:4064
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\haauidcxphgtdxevttdw.exe*."3⤵PID:2372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:4964
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tieuevqhvjentjmz.exe .1⤵PID:896
-
C:\Windows\tieuevqhvjentjmz.exetieuevqhvjentjmz.exe .2⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\tieuevqhvjentjmz.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe1⤵PID:1664
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c haauidcxphgtdxevttdw.exe .1⤵PID:6136
-
C:\Windows\haauidcxphgtdxevttdw.exehaauidcxphgtdxevttdw.exe .2⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\haauidcxphgtdxevttdw.exe*."3⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exeC:\Users\Admin\AppData\Local\Temp\jayqcvslbrozhzetpn.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe .2⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\aqnephdvkzvfmdhvq.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .1⤵PID:3720
-
C:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exeC:\Users\Admin\AppData\Local\Temp\tieuevqhvjentjmz.exe .2⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\tieuevqhvjentjmz.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe1⤵PID:2728
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:2732
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqnephdvkzvfmdhvq.exe1⤵PID:5620
-
C:\Windows\aqnephdvkzvfmdhvq.exeaqnephdvkzvfmdhvq.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe .1⤵PID:5624
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe .2⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\umlerljduljvexdtqpy.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exeC:\Users\Admin\AppData\Local\Temp\umlerljduljvexdtqpy.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\umlerljduljvexdtqpy.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe1⤵PID:2428
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe2⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wqrmbxxtmfftezhzyzkef.exe .1⤵PID:5804
-
C:\Windows\wqrmbxxtmfftezhzyzkef.exewqrmbxxtmfftezhzyzkef.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c umlerljduljvexdtqpy.exe1⤵PID:2532
-
C:\Windows\umlerljduljvexdtqpy.exeumlerljduljvexdtqpy.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jayqcvslbrozhzetpn.exe .1⤵PID:5596
-
C:\Windows\jayqcvslbrozhzetpn.exejayqcvslbrozhzetpn.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\jayqcvslbrozhzetpn.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zjaxkwmiuhentjmz.exe1⤵PID:5164
-
C:\Windows\zjaxkwmiuhentjmz.exezjaxkwmiuhentjmz.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exeC:\Users\Admin\AppData\Local\Temp\wqrmbxxtmfftezhzyzkef.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\users\admin\appdata\local\temp\wqrmbxxtmfftezhzyzkef.exe*."3⤵PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbwxoeyyofgtdxevttjx.exe .1⤵PID:5780
-
C:\Windows\nbwxoeyyofgtdxevttjx.exenbwxoeyyofgtdxevttjx.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe"C:\Users\Admin\AppData\Local\Temp\vzaljrgxfjk.exe" "c:\windows\nbwxoeyyofgtdxevttjx.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exeC:\Users\Admin\AppData\Local\Temp\aqnephdvkzvfmdhvq.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c anhhxmfetjjvexdtqpe.exe1⤵PID:972
-
C:\Windows\anhhxmfetjjvexdtqpe.exeanhhxmfetjjvexdtqpe.exe2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exeC:\Users\Admin\AppData\Local\Temp\haauidcxphgtdxevttdw.exe .2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c grjhvizwjxvfmdhvq.exe .1⤵PID:5772
-
C:\Windows\grjhvizwjxvfmdhvq.exegrjhvizwjxvfmdhvq.exe .2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\crnphytuldftezhzyzqfb.exe1⤵PID:1672
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD540ae75f3cd1cd5b29b28b372a4cfe87f
SHA160d3c02c942dcfe0af99d02d2876271803900ec8
SHA25630c9b19f4748e3bbaf1468a39977885975a76f621172b8ead58443e452b74d98
SHA512b525620806272ad1541629aae14fc25200e087e313cf24c5211066393a01d2c1fa04fbdc157d1d4e536d74694a980c8b65febf923c106e6fb277006eb96a394f
-
Filesize
280B
MD548a834b3f09e5e3e4f9f0f90d42cd855
SHA150c4cf4edca879dc300303f724e730135d392360
SHA256d252fe0b38bf7d8215e681d19a086fb478633aba81bff9bae5229c8932189bd7
SHA512ea067160a9c2826d00c3e3ace2fed9a3980ae0d172fbfd9622ac131d197535a8dac40e02a558bf158fdfce15eb30eb47eb10fc38cea22f4e1c15a657e5eb276c
-
Filesize
280B
MD5cc8b73e87109c25a0603ddfcdbe6d639
SHA16cc19df3b3599af0a19528121e8bacb219907532
SHA256b263668aa3fdd82fe3281be9114206a23ddb717f37faca851e77940a6129b6dc
SHA51211b4963e9a58ef34c9ab1168bf32e33b5166bb31c50fd478483ced3b4e0fa4c50f660b5a9835388dc068ab01105faab30c659ea45ebe24307f75841c0c7bea68
-
Filesize
280B
MD5d3538d781c3dd979babc82cac2b5c924
SHA1be66c2dabf7a09579d32b0f853deeb9391610300
SHA2564d3cdffecc47414d72088476ee62badbc4cf5d84a7efdb3a652eb33187862cb5
SHA5127b8ee11f8d417012c30b4fdd489916bebebad09af3ae0830718d13a66136523173e570679ef7ec7081f67217dccebf63f16bf7c3b3b7fb91c6cdd43187b8b2db
-
Filesize
280B
MD5be22d7d254c2a69da83a8973d2757a59
SHA148a3fb7b72135b82762fc8f26be559bbfaaf5a0f
SHA256b40aa4b7ce8890d4feb340ea452b7feb46f749c4f8905ad631322dda54fcd343
SHA512f1eb482ef3079a2b7316a2b6aea842baf2edd89b0e66c325a4de8b4a0e3431b46d97566283c3161c84470305766363507bca1490a930c7ea27b7c3213f59edb9
-
Filesize
688KB
MD5d45b10f6f5acf8189f20b5bba0e53d04
SHA17ca2824e8ee5c19651d2a6b72e329046f7e20ece
SHA2566afc9d75bdecbecfde1e90f990c91d3b6365ca9ee1acf5378c43fef124f82d65
SHA512d717301381c12c12cbd0f11e40658465fa5ffb91b97c4a26c257bb9e5c2d8f9f7b352cffdfe64713bb32bfddd3c70737aca25645d415503eb659a7e8eb8542af
-
Filesize
320KB
MD5ab03c21a2c11e94db0624c686d8e7a56
SHA1e1a4f9cd54633907b3df6cb029fcf08965cadf70
SHA2567a1c2cc6d6ad2a0c0b95ab325c4a9840bdc559afd266cb2915740f9bdcc078a8
SHA512b698ff761767a16db4a7f1de7066d5c16fa5b55844cb63c3892b815301f457db75ac95bab89c55433c3d1ed7971eed67448225f61625dac2f7dd15c44f3d7702
-
Filesize
4KB
MD50d5ecb7cdb79a26d8d7d24b92bceca96
SHA173240f891180525c7a632e8d4dd47ee69e0257d1
SHA2560ebe8d62c5670a58f22742dac5f53a4b8e2512836fd5712890bfcd24f66e7dc9
SHA512480268f5635da37fcc999be5a520ac5900057549311b2750aff199dc9d0769aca7937ac3a92a4644de2e0c32f90437251b5f1ebdc4296dcaf0da767b755c35b7
-
Filesize
280B
MD56428e106a0309c5a4569246df491f4a0
SHA1ed9e3177714ac640ecfb22f4faa6bf0bc7d58d65
SHA2568b2ec4172dbcea9a8cc814bd5346fc79bf5e3454dcd6d725ca5096648cd031d4
SHA51210483b3b03b15c26272c9ee44af2b831ce58657a91ff6bc4aa5af60a0ab45c1df15e89e1be1b0f9f4ddbff7747be295fdbcb44f5e8647f4ba7cc2697dea84b7d
-
Filesize
680KB
MD5c1c90ccb7f44badc91ec2859323fcde2
SHA10bc90e1a338997eb95cae02f0250a8678d8f25e4
SHA256c9fd2f88ae1d80838434f52f63ecc3009bda52cc0b76238121d6068999f13a43
SHA512464ce273e0f3c9f74bff3c864f54d532f89bea43446ca824ca3af93c3802168c41e314166a6084c0e61a43621900394bea820a2b64c8f92ea156f36ce9584e08