Analysis
-
max time kernel
55s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe
-
Size
480KB
-
MD5
c7e5d9b24e40b9b5909256350f70b10b
-
SHA1
fb9d569e524b0cbe1f4a4a600ada58f687a7aee4
-
SHA256
2e7aa86c211bcba2701f0d5acd491714bcbaf5f5cd6e930bc9795fdfb2a7f859
-
SHA512
2cb935a8f5f1bc4fafbcd7de1bd3dabe65e31a2f3f860dcfbc65aad89242841e59fc6fffec922f20f4c983723329503060b00e4e7152873730c7de41b93a17ea
-
SSDEEP
6144:v8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUl:UnRy+ZyYpaCDJFuPyAHcqrU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" apcxvhdqkzm.exe -
Pykspa family
-
UAC bypass 3 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000c00000002aca3-4.dat family_pykspa behavioral2/files/0x001a00000002b1a2-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "bsmgqgzqojexycuwp.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpftezlithjdvvyp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxslbbsukdkjgltpvsklg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "kcxsduogfbxrtyruoe.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gps = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axodplywixavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "iczwjcystrplpwrwskeb.exe" vcmwwcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bkwiksdmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mynchsgslbrf = "vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vcmwwcl.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe -
Executes dropped EXE 64 IoCs
pid Process 5908 apcxvhdqkzm.exe 1856 ukdwfumcztnffiza.exe 1736 bsmgqgzqojexycuwp.exe 4896 apcxvhdqkzm.exe 5072 ukdwfumcztnffiza.exe 2316 iczwjcystrplpwrwskeb.exe 3460 iczwjcystrplpwrwskeb.exe 2404 apcxvhdqkzm.exe 4732 iczwjcystrplpwrwskeb.exe 3532 apcxvhdqkzm.exe 4160 ukdwfumcztnffiza.exe 5924 vokgskfyyvsnqwqupgz.exe 5640 apcxvhdqkzm.exe 1380 vcmwwcl.exe 1084 vcmwwcl.exe 688 iczwjcystrplpwrwskeb.exe 248 bsmgqgzqojexycuwp.exe 4360 bsmgqgzqojexycuwp.exe 1064 iczwjcystrplpwrwskeb.exe 2848 apcxvhdqkzm.exe 5736 apcxvhdqkzm.exe 4088 kcxsduogfbxrtyruoe.exe 1960 bsmgqgzqojexycuwp.exe 5384 vokgskfyyvsnqwqupgz.exe 5324 ukdwfumcztnffiza.exe 408 xsqocwtoqpolqyuaxqljh.exe 5616 apcxvhdqkzm.exe 3340 xsqocwtoqpolqyuaxqljh.exe 5648 ukdwfumcztnffiza.exe 4276 apcxvhdqkzm.exe 4576 ukdwfumcztnffiza.exe 1880 apcxvhdqkzm.exe 3552 vokgskfyyvsnqwqupgz.exe 6136 apcxvhdqkzm.exe 3428 xsqocwtoqpolqyuaxqljh.exe 1876 bsmgqgzqojexycuwp.exe 4712 iczwjcystrplpwrwskeb.exe 4544 apcxvhdqkzm.exe 3636 apcxvhdqkzm.exe 1128 xsqocwtoqpolqyuaxqljh.exe 5428 vokgskfyyvsnqwqupgz.exe 1856 apcxvhdqkzm.exe 3352 iczwjcystrplpwrwskeb.exe 4480 kcxsduogfbxrtyruoe.exe 3236 apcxvhdqkzm.exe 6040 vokgskfyyvsnqwqupgz.exe 2348 bsmgqgzqojexycuwp.exe 5148 apcxvhdqkzm.exe 5568 xsqocwtoqpolqyuaxqljh.exe 1780 vokgskfyyvsnqwqupgz.exe 4160 apcxvhdqkzm.exe 4944 vokgskfyyvsnqwqupgz.exe 812 xsqocwtoqpolqyuaxqljh.exe 3992 apcxvhdqkzm.exe 4620 vokgskfyyvsnqwqupgz.exe 2968 bsmgqgzqojexycuwp.exe 1196 ukdwfumcztnffiza.exe 4016 bsmgqgzqojexycuwp.exe 3624 bsmgqgzqojexycuwp.exe 5996 xsqocwtoqpolqyuaxqljh.exe 2172 apcxvhdqkzm.exe 2308 iczwjcystrplpwrwskeb.exe 796 apcxvhdqkzm.exe 772 vokgskfyyvsnqwqupgz.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vcmwwcl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vcmwwcl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vcmwwcl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vcmwwcl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vcmwwcl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vcmwwcl.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "bsmgqgzqojexycuwp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "xsqocwtoqpolqyuaxqljh.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "iczwjcystrplpwrwskeb.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "xsqocwtoqpolqyuaxqljh.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "kcxsduogfbxrtyruoe.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "ukdwfumcztnffiza.exe ." vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe ." vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukdwfumcztnffiza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "vokgskfyyvsnqwqupgz.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "vokgskfyyvsnqwqupgz.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vokgskfyyvsnqwqupgz.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe ." vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "bsmgqgzqojexycuwp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\whmpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxslbbsukdkjgltpvsklg.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "kcxsduogfbxrtyruoe.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "bsmgqgzqojexycuwp.exe" vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tjtbgvbsxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axodplywixavoptln.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "kcxsduogfbxrtyruoe.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "kcxsduogfbxrtyruoe.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukdwfumcztnffiza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukdwfumcztnffiza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vokgskfyyvsnqwqupgz.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "ukdwfumcztnffiza.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kcxsduogfbxrtyruoe.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "ukdwfumcztnffiza.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukdwfumcztnffiza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczwjcystrplpwrwskeb.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pewowkbqmfypoqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe ." vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "vokgskfyyvsnqwqupgz.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "vokgskfyyvsnqwqupgz.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "xsqocwtoqpolqyuaxqljh.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhotvhk = "wxslbbsukdkjgltpvsklg.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ukdwfumcztnffiza.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukdwfumcztnffiza = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vokgskfyyvsnqwqupgz.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsqocwtoqpolqyuaxqljh.exe" vcmwwcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "iczwjcystrplpwrwskeb.exe" vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "bsmgqgzqojexycuwp.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\uerehqcmdr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsmgqgzqojexycuwp.exe" apcxvhdqkzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paocgqdogvk = "kcxsduogfbxrtyruoe.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "vokgskfyyvsnqwqupgz.exe ." vcmwwcl.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\maripcsgbtlbza = "iczwjcystrplpwrwskeb.exe ." apcxvhdqkzm.exe Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\lyoekwlysjapm = "iczwjcystrplpwrwskeb.exe" apcxvhdqkzm.exe -
Checks whether UAC is enabled 1 TTPs 56 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vcmwwcl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" apcxvhdqkzm.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyip.everdot.org 1 whatismyipaddress.com 3 whatismyip.everdot.org 3 www.showmyipaddress.com 3 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\oszgdgmqbjrxlchwceipwtwcgr.hnb vcmwwcl.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe vcmwwcl.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe vcmwwcl.exe File created C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\pewowkbqmfypoqggxkzrjrfwlhatkjlbbsfum.mar vcmwwcl.exe File created C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\SysWOW64\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\ukdwfumcztnffiza.exe vcmwwcl.exe File opened for modification C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\SysWOW64\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\oszgdgmqbjrxlchwceipwtwcgr.hnb vcmwwcl.exe File opened for modification C:\Program Files (x86)\pewowkbqmfypoqggxkzrjrfwlhatkjlbbsfum.mar vcmwwcl.exe File created C:\Program Files (x86)\pewowkbqmfypoqggxkzrjrfwlhatkjlbbsfum.mar vcmwwcl.exe File opened for modification C:\Program Files (x86)\oszgdgmqbjrxlchwceipwtwcgr.hnb vcmwwcl.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File created C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ukdwfumcztnffiza.exe vcmwwcl.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe vcmwwcl.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File created C:\Windows\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\xsqocwtoqpolqyuaxqljh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\ukdwfumcztnffiza.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe vcmwwcl.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe vcmwwcl.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\bsmgqgzqojexycuwp.exe vcmwwcl.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File opened for modification C:\Windows\iczwjcystrplpwrwskeb.exe apcxvhdqkzm.exe File opened for modification C:\Windows\vokgskfyyvsnqwqupgz.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe File created C:\Windows\kcxsduogfbxrtyruoe.exe apcxvhdqkzm.exe File opened for modification C:\Windows\okjixsqmpppntczgeyutsh.exe apcxvhdqkzm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukdwfumcztnffiza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apcxvhdqkzm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcmwwcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utmdrpeesjolgjpjniy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukdwfumcztnffiza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukdwfumcztnffiza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpftezlithjdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpftezlithjdvvyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhzpcznmzptpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhzpcznmzptpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ukdwfumcztnffiza.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iczwjcystrplpwrwskeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhzpcznmzptpjlqjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vokgskfyyvsnqwqupgz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcxsduogfbxrtyruoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsqocwtoqpolqyuaxqljh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bsmgqgzqojexycuwp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 1084 vcmwwcl.exe 1084 vcmwwcl.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 1084 vcmwwcl.exe 1084 vcmwwcl.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1084 vcmwwcl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 5908 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 79 PID 2600 wrote to memory of 5908 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 79 PID 2600 wrote to memory of 5908 2600 JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe 79 PID 5404 wrote to memory of 1856 5404 cmd.exe 82 PID 5404 wrote to memory of 1856 5404 cmd.exe 82 PID 5404 wrote to memory of 1856 5404 cmd.exe 82 PID 1404 wrote to memory of 1736 1404 cmd.exe 85 PID 1404 wrote to memory of 1736 1404 cmd.exe 85 PID 1404 wrote to memory of 1736 1404 cmd.exe 85 PID 1736 wrote to memory of 4896 1736 bsmgqgzqojexycuwp.exe 86 PID 1736 wrote to memory of 4896 1736 bsmgqgzqojexycuwp.exe 86 PID 1736 wrote to memory of 4896 1736 bsmgqgzqojexycuwp.exe 86 PID 4936 wrote to memory of 5072 4936 cmd.exe 89 PID 4936 wrote to memory of 5072 4936 cmd.exe 89 PID 4936 wrote to memory of 5072 4936 cmd.exe 89 PID 4376 wrote to memory of 2316 4376 cmd.exe 92 PID 4376 wrote to memory of 2316 4376 cmd.exe 92 PID 4376 wrote to memory of 2316 4376 cmd.exe 92 PID 2596 wrote to memory of 3460 2596 cmd.exe 95 PID 2596 wrote to memory of 3460 2596 cmd.exe 95 PID 2596 wrote to memory of 3460 2596 cmd.exe 95 PID 2316 wrote to memory of 2404 2316 iczwjcystrplpwrwskeb.exe 98 PID 2316 wrote to memory of 2404 2316 iczwjcystrplpwrwskeb.exe 98 PID 2316 wrote to memory of 2404 2316 iczwjcystrplpwrwskeb.exe 98 PID 5196 wrote to memory of 4732 5196 cmd.exe 99 PID 5196 wrote to memory of 4732 5196 cmd.exe 99 PID 5196 wrote to memory of 4732 5196 cmd.exe 99 PID 4732 wrote to memory of 3532 4732 iczwjcystrplpwrwskeb.exe 100 PID 4732 wrote to memory of 3532 4732 iczwjcystrplpwrwskeb.exe 100 PID 4732 wrote to memory of 3532 4732 iczwjcystrplpwrwskeb.exe 100 PID 4760 wrote to memory of 4160 4760 cmd.exe 103 PID 4760 wrote to memory of 4160 4760 cmd.exe 103 PID 4760 wrote to memory of 4160 4760 cmd.exe 103 PID 960 wrote to memory of 5924 960 cmd.exe 106 PID 960 wrote to memory of 5924 960 cmd.exe 106 PID 960 wrote to memory of 5924 960 cmd.exe 106 PID 5924 wrote to memory of 5640 5924 vokgskfyyvsnqwqupgz.exe 107 PID 5924 wrote to memory of 5640 5924 vokgskfyyvsnqwqupgz.exe 107 PID 5924 wrote to memory of 5640 5924 vokgskfyyvsnqwqupgz.exe 107 PID 5908 wrote to memory of 1380 5908 apcxvhdqkzm.exe 108 PID 5908 wrote to memory of 1380 5908 apcxvhdqkzm.exe 108 PID 5908 wrote to memory of 1380 5908 apcxvhdqkzm.exe 108 PID 5908 wrote to memory of 1084 5908 apcxvhdqkzm.exe 109 PID 5908 wrote to memory of 1084 5908 apcxvhdqkzm.exe 109 PID 5908 wrote to memory of 1084 5908 apcxvhdqkzm.exe 109 PID 1136 wrote to memory of 688 1136 cmd.exe 112 PID 1136 wrote to memory of 688 1136 cmd.exe 112 PID 1136 wrote to memory of 688 1136 cmd.exe 112 PID 132 wrote to memory of 248 132 cmd.exe 115 PID 132 wrote to memory of 248 132 cmd.exe 115 PID 132 wrote to memory of 248 132 cmd.exe 115 PID 5448 wrote to memory of 4360 5448 cmd.exe 118 PID 5448 wrote to memory of 4360 5448 cmd.exe 118 PID 5448 wrote to memory of 4360 5448 cmd.exe 118 PID 2444 wrote to memory of 1064 2444 cmd.exe 121 PID 2444 wrote to memory of 1064 2444 cmd.exe 121 PID 2444 wrote to memory of 1064 2444 cmd.exe 121 PID 4360 wrote to memory of 2848 4360 bsmgqgzqojexycuwp.exe 122 PID 4360 wrote to memory of 2848 4360 bsmgqgzqojexycuwp.exe 122 PID 4360 wrote to memory of 2848 4360 bsmgqgzqojexycuwp.exe 122 PID 1064 wrote to memory of 5736 1064 iczwjcystrplpwrwskeb.exe 224 PID 1064 wrote to memory of 5736 1064 iczwjcystrplpwrwskeb.exe 224 PID 1064 wrote to memory of 5736 1064 iczwjcystrplpwrwskeb.exe 224 PID 2544 wrote to memory of 4088 2544 cmd.exe 225 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vcmwwcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vcmwwcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vcmwwcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vcmwwcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System apcxvhdqkzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apcxvhdqkzm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\vcmwwcl.exe"C:\Users\Admin\AppData\Local\Temp\vcmwwcl.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1380
-
-
C:\Users\Admin\AppData\Local\Temp\vcmwwcl.exe"C:\Users\Admin\AppData\Local\Temp\vcmwwcl.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c7e5d9b24e40b9b5909256350f70b10b.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5404 -
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵
- Executes dropped EXE
PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵
- Executes dropped EXE
PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Executes dropped EXE
PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵
- Executes dropped EXE
PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵
- Executes dropped EXE
PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵
- Suspicious use of WriteProcessMemory
PID:132 -
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵
- Executes dropped EXE
PID:248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵
- Executes dropped EXE
PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵
- Executes dropped EXE
PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:3360
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵
- Executes dropped EXE
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵
- Executes dropped EXE
PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:796
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵
- Executes dropped EXE
PID:1960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:1156
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Executes dropped EXE
PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- Executes dropped EXE
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵
- Executes dropped EXE
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵
- Executes dropped EXE
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵
- Executes dropped EXE
PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- Executes dropped EXE
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Executes dropped EXE
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:3956
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:2036
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵
- Executes dropped EXE
PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2472
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵
- Executes dropped EXE
PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:3080
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵
- Executes dropped EXE
PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵
- Executes dropped EXE
PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- Executes dropped EXE
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:4164
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵
- Executes dropped EXE
PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:5852
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵
- Executes dropped EXE
PID:812 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Executes dropped EXE
PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:1776
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵
- Executes dropped EXE
PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5916
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:6108
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵
- Executes dropped EXE
PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:1124
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:2172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:1772
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- Executes dropped EXE
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵
- Executes dropped EXE
PID:796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4212
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵
- Executes dropped EXE
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵
- Executes dropped EXE
PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:5736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4088
-
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:1656
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5124
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:5420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5384
-
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:2324
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:4896
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:4936
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:3460
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:5148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:4624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:3132
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4996
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2968
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:2128
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5668
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2488
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:488
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:2420
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:3620
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5212
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5676
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:3288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4820
-
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:4932
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5188
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:3400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:5044
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:4388
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:3568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2172
-
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:3208
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:4856
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:4876
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:5060
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:5712
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:6084
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:436
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:5680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:2264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:5920
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:948
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:872
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:1732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6140
-
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4836
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4880
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:2364
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:5308
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:1776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:3992
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:4872
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:5284
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:2296
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:3224
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:4672
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4740
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:1176
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:5816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4204
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:1856
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:2940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:5404
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:3156
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:2060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5220
-
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:4488
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:4832
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:4208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4916
-
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2340
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:2172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:3876
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5008
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5868
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5692
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5440
-
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:5276
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:6064
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:240
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:248
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:332
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe"C:\Users\Admin\AppData\Local\Temp\uhotvhk.exe" "-c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe"4⤵PID:4944
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpftezlithjdvvyp.exe1⤵PID:3636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3476
-
-
C:\Windows\tpftezlithjdvvyp.exetpftezlithjdvvyp.exe2⤵
- System Location Discovery: System Language Discovery
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxslbbsukdkjgltpvsklg.exe .1⤵PID:5572
-
C:\Windows\wxslbbsukdkjgltpvsklg.exewxslbbsukdkjgltpvsklg.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\wxslbbsukdkjgltpvsklg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxslbbsukdkjgltpvsklg.exe1⤵PID:1936
-
C:\Windows\wxslbbsukdkjgltpvsklg.exewxslbbsukdkjgltpvsklg.exe2⤵PID:5288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axodplywixavoptln.exe .1⤵PID:5420
-
C:\Windows\axodplywixavoptln.exeaxodplywixavoptln.exe .2⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\axodplywixavoptln.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exeC:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhbtihxynfljfjqlqmdd.exe .1⤵PID:948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5908
-
-
C:\Users\Admin\AppData\Local\Temp\hhbtihxynfljfjqlqmdd.exeC:\Users\Admin\AppData\Local\Temp\hhbtihxynfljfjqlqmdd.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\hhbtihxynfljfjqlqmdd.exe*."3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:5492
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:3764
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe1⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exeC:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe2⤵PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exeC:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .2⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\tpftezlithjdvvyp.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:2964
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:2196
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:2628
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:5944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:3832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2140
-
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:5132
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:1348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5448
-
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:6108
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:5112
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:864
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:952
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:5996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:2836
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:3108
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:1136
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:5172
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6008
-
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c utmdrpeesjolgjpjniy.exe1⤵PID:3932
-
C:\Windows\utmdrpeesjolgjpjniy.exeutmdrpeesjolgjpjniy.exe2⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpftezlithjdvvyp.exe .1⤵PID:1784
-
C:\Windows\tpftezlithjdvvyp.exetpftezlithjdvvyp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\tpftezlithjdvvyp.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:3088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5492
-
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axodplywixavoptln.exe1⤵PID:3752
-
C:\Windows\axodplywixavoptln.exeaxodplywixavoptln.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:3396
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axodplywixavoptln.exe .1⤵PID:4468
-
C:\Windows\axodplywixavoptln.exeaxodplywixavoptln.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\axodplywixavoptln.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exeC:\Users\Admin\AppData\Local\Temp\utmdrpeesjolgjpjniy.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:2868
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exeC:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\tpftezlithjdvvyp.exe*."3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:5256
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:3948
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exeC:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe .1⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exeC:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe .2⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\wxslbbsukdkjgltpvsklg.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:4384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2836
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:3304
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:1400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4160
-
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:2748
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:5336
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:5740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1136
-
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:3860
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:2780
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:3244
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2876
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:3080
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:4168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:5420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5904
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4292
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:3008
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:3528
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:4384
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:3724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5580
-
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2552
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:5340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:1548
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:1940
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:5560
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:3360
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:5648
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:5260
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:5212
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5764
-
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3020
-
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:6068
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:4480
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:3352
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:6032
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:4756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5916
-
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:2120
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe .2⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\iczwjcystrplpwrwskeb.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:5684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe1⤵PID:3152
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe2⤵PID:1396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c utmdrpeesjolgjpjniy.exe1⤵PID:2012
-
C:\Windows\utmdrpeesjolgjpjniy.exeutmdrpeesjolgjpjniy.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c utmdrpeesjolgjpjniy.exe .1⤵PID:4204
-
C:\Windows\utmdrpeesjolgjpjniy.exeutmdrpeesjolgjpjniy.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\utmdrpeesjolgjpjniy.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:5976
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhzpcznmzptpjlqjmg.exe1⤵PID:6096
-
C:\Windows\jhzpcznmzptpjlqjmg.exejhzpcznmzptpjlqjmg.exe2⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:872
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:5416
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhzpcznmzptpjlqjmg.exe .1⤵PID:3636
-
C:\Windows\jhzpcznmzptpjlqjmg.exejhzpcznmzptpjlqjmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\jhzpcznmzptpjlqjmg.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exeC:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:1416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exeC:\Users\Admin\AppData\Local\Temp\jhzpcznmzptpjlqjmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\jhzpcznmzptpjlqjmg.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exeC:\Users\Admin\AppData\Local\Temp\axodplywixavoptln.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exeC:\Users\Admin\AppData\Local\Temp\tpftezlithjdvvyp.exe .2⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\tpftezlithjdvvyp.exe*."3⤵PID:576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:4304
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:3596
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:580
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe .1⤵PID:3352
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\iczwjcystrplpwrwskeb.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:5200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:2332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2120
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:1824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:3740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5884
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:444
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:5684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5288
-
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:5232
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:3224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:2748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1548
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2252
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:3556
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:360
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:5840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2940
-
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:2072
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:2564
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:5316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:796
-
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:2340
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:5576
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:3872
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe .1⤵PID:1488
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe .2⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\vokgskfyyvsnqwqupgz.exe*."3⤵PID:332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exeC:\Users\Admin\AppData\Local\Temp\iczwjcystrplpwrwskeb.exe2⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:3848
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:6120
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:5228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5064
-
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:1428
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iczwjcystrplpwrwskeb.exe1⤵PID:2496
-
C:\Windows\iczwjcystrplpwrwskeb.exeiczwjcystrplpwrwskeb.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe1⤵PID:5976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe1⤵PID:4484
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe2⤵PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .1⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\bsmgqgzqojexycuwp.exe*."3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xsqocwtoqpolqyuaxqljh.exe .1⤵PID:3216
-
C:\Windows\xsqocwtoqpolqyuaxqljh.exexsqocwtoqpolqyuaxqljh.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\xsqocwtoqpolqyuaxqljh.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:1672
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:5332
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vokgskfyyvsnqwqupgz.exe1⤵PID:5732
-
C:\Windows\vokgskfyyvsnqwqupgz.exevokgskfyyvsnqwqupgz.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:2316
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe .1⤵PID:5880
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe .2⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\bsmgqgzqojexycuwp.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe1⤵PID:1804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5760
-
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exeC:\Users\Admin\AppData\Local\Temp\vokgskfyyvsnqwqupgz.exe .2⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\vokgskfyyvsnqwqupgz.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bsmgqgzqojexycuwp.exe1⤵PID:2352
-
C:\Windows\bsmgqgzqojexycuwp.exebsmgqgzqojexycuwp.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exeC:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .2⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\kcxsduogfbxrtyruoe.exe*."3⤵PID:2120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe .1⤵PID:3680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4304
-
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\ukdwfumcztnffiza.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:1704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhbtihxynfljfjqlqmdd.exe1⤵PID:3132
-
C:\Windows\hhbtihxynfljfjqlqmdd.exehhbtihxynfljfjqlqmdd.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ukdwfumcztnffiza.exe1⤵PID:2376
-
C:\Windows\ukdwfumcztnffiza.exeukdwfumcztnffiza.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\users\admin\appdata\local\temp\ukdwfumcztnffiza.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exeC:\Users\Admin\AppData\Local\Temp\xsqocwtoqpolqyuaxqljh.exe .2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kcxsduogfbxrtyruoe.exe .1⤵PID:4344
-
C:\Windows\kcxsduogfbxrtyruoe.exekcxsduogfbxrtyruoe.exe .2⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe"C:\Users\Admin\AppData\Local\Temp\apcxvhdqkzm.exe" "c:\windows\kcxsduogfbxrtyruoe.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axodplywixavoptln.exe .1⤵PID:4456
-
C:\Windows\axodplywixavoptln.exeaxodplywixavoptln.exe .2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exeC:\Users\Admin\AppData\Local\Temp\bsmgqgzqojexycuwp.exe2⤵PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exeC:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe .2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axodplywixavoptln.exe1⤵PID:4704
-
C:\Windows\axodplywixavoptln.exeaxodplywixavoptln.exe2⤵PID:248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhzpcznmzptpjlqjmg.exe .1⤵PID:4384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxslbbsukdkjgltpvsklg.exe1⤵PID:2476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ukdwfumcztnffiza.exe1⤵PID:1368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kcxsduogfbxrtyruoe.exe .1⤵PID:5172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhbtihxynfljfjqlqmdd.exe .1⤵PID:5404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5272
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD57aacad4eff7cabbc37ad30f48e4ae61a
SHA1dc94aa291cd5485ed2800b229264f6bff4badd0b
SHA2564019d98965f9f0caa51874d97817d8495896233bd97d94066b58834db7303bb1
SHA5126b50af58df61c53df3c687e7c9e88343d2f3a36eff6e7452446c2556434a1be12a4ff0e8932c510b4d535d54719a60e4ad5445ebd8c3b63b29a6692f27c82d7a
-
Filesize
120B
MD5db86cf6786476d2942064294cb01523e
SHA11b4b356f334fca67fbcc6ddebce921179cedccfe
SHA25601c0bd42f84b57c445ed8c991235432fe2cd8d3263996855f46fc78e4c695c3b
SHA51200eb7cea3e803108843a29e3d4d557b50968f4b0a8620c573beac0433dc9657ee5adc1eea4b75855074a1e4a67357011bf339ce497258dea3752cdb30aaf90ea
-
Filesize
120B
MD5d5c9f4468c9b574e2d90013bbe4e6247
SHA1e0cb8b3fb12ef45c3a097eac42279b6d35b0a3d4
SHA2563d127aebb742c182a0034fdfb5dd2d75e545c2106cf1637a596b5e1c4e8faf3e
SHA51279a5a1281829c93755a8b5319c194fd6516330793067190c9234b9f66b99848294ef834f8e064615f0db4c78ed0c306143327f704e2fd3f602dcd715ec92a1f9
-
Filesize
120B
MD57ae0b5833fcae515a57490eff689eaee
SHA161faa04d528b5e6ca0242a40a5662667228d2685
SHA25635e8676b21635a110439e83193d8af2df69d860841a20f40183ef23fc8e7873e
SHA5125349fdc6de00a335b6d083d14072422cff0532cc71d4ab139eba3456d87e615e7a0d1645986ab4e09d24e62e124d1cf25a33c5adb5ad4944e52c2d905c07caa8
-
Filesize
120B
MD5736b092c5663ada6188ac95e6f05621f
SHA1dd2947541e77e3e3537a3941a28de8a07ad4eef9
SHA256ffbc392c8f0c1d1c5c49c112ed7e068e6a4dc4650f5942d63e2f13282ad8bca7
SHA512a52bb3805444c86fbd4aefcbc27d6d5bd5f8b09a3e4bad3c3e0ef0fa3b225201f98c5f2d08464c58ecc1f17b97dd00010530a7d87701fa4c058bb1f95980f718
-
Filesize
120B
MD51c9c5af9b2af44d8aa370151363b5eb0
SHA1bcb0a9b4fc2c12bf1555853fa1a84ba3d13837d8
SHA25644d8345a48f0037e30c29bfc1b53e76fb00349e6f4ffe7298591a866de33f95a
SHA512af42d037014d51bf9ea64df769a9f4357e0a1fb4bf84e81282409298dce07b5622d2984a945c9f1376b1a10ac412b0492eb34f86808e232dcbb971a40e4d22a4
-
Filesize
308KB
MD585cb856b920e7b0b7b75115336fc2af2
SHA11d1a207efec2f5187583b652c35aef74ee4c473f
SHA2566fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8
-
Filesize
668KB
MD5f07f32ba7de4c05773433b9ebaecca22
SHA13d8b016945c36a3e713b55554dfe85a5b17422a9
SHA2567f70dad53114a27e1758ff4dadea9c4875975ea6c0f34d704c823839cb30f316
SHA512ad7786f1d7f5064d0803efdee6fb7869703aaef0d0bc4b0b13fecae8873de0dbd02b9e1c9445f06f1d8952086348b2693f4aacfb92f7dbb0190b6fe4eedcbe4e
-
Filesize
120B
MD5bd7a0614f893c80e05ff848700f8b416
SHA169631176bb9cd95a9fe0649c2b6eeb5d4e2f852f
SHA256240f51d8bed75ec1d5d75672ce8464b60c2c896a823b52c3a37e72303a73b037
SHA5125c3adb0ecf185f3e5816788c0a3223f3f1b3559dee66559026afed7f6f1f1c387ac65979d5d8ed2eea519ad4d86c0c0100a9f1173001b986dbf4a290caa21cb6
-
Filesize
3KB
MD587b619c88dca02034082a8dcb90c5ee8
SHA17a35f17f97b70ecb34882301072a4db663dd6f10
SHA2565b0413e7a4b138301699d92b713b5594142d200e9059c3f89ade9a137121f685
SHA512152e74af33d836f30a9cc0d87ec50d52987bda23ddc5d53268e7ca0a6a32eaf276cff44513291a0fbe3a16e2cf6eca1603da644a9a1417160f215bea2fed5252
-
Filesize
480KB
MD5c7e5d9b24e40b9b5909256350f70b10b
SHA1fb9d569e524b0cbe1f4a4a600ada58f687a7aee4
SHA2562e7aa86c211bcba2701f0d5acd491714bcbaf5f5cd6e930bc9795fdfb2a7f859
SHA5122cb935a8f5f1bc4fafbcd7de1bd3dabe65e31a2f3f860dcfbc65aad89242841e59fc6fffec922f20f4c983723329503060b00e4e7152873730c7de41b93a17ea