Analysis
-
max time kernel
64s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 06:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
-
Size
640KB
-
MD5
c80e476ddc2450c7d1bf465e8796f0d6
-
SHA1
c01e78777fbd41c983942ef10546613ce2537f5b
-
SHA256
cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
-
SHA512
6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832
-
SSDEEP
12288:vIXsgtvm1De5YlOx6lzBH46U0yxeco7pQS/L7no2aT:vU81yMBbfyno7pQS/LBaT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe -
Pykspa family
-
UAC bypass 3 TTPs 41 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000b00000002ad84-4.dat family_pykspa behavioral2/files/0x001900000002b1eb-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nqxfgp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nqxfgp.exe -
Executes dropped EXE 64 IoCs
pid Process 3252 xidoeloehsn.exe 5320 aqkftpiwsklehaynywe.exe 4788 pexrezrezqqikcznxu.exe 4808 xidoeloehsn.exe 4920 aqkftpiwsklehaynywe.exe 4864 cuqndbwmkehchcctggqie.exe 5056 xidoeloehsn.exe 5584 nezvkhbqngicgazpbaja.exe 5076 cuqndbwmkehchcctggqie.exe 4652 xidoeloehsn.exe 464 aqkftpiwsklehaynywe.exe 5480 cuqndbwmkehchcctggqie.exe 5772 xidoeloehsn.exe 2012 nqxfgp.exe 4560 nqxfgp.exe 1488 nezvkhbqngicgazpbaja.exe 5532 aqkftpiwsklehaynywe.exe 6128 pexrezrezqqikcznxu.exe 6140 xidoeloehsn.exe 4572 aqkftpiwsklehaynywe.exe 5212 gumfrlcoiyxopgcpy.exe 1520 gumfrlcoiyxopgcpy.exe 4628 zmdvgzpatigwwmht.exe 5284 xidoeloehsn.exe 3756 xidoeloehsn.exe 1444 gumfrlcoiyxopgcpy.exe 5452 pexrezrezqqikcznxu.exe 5952 cuqndbwmkehchcctggqie.exe 2312 xidoeloehsn.exe 3900 gumfrlcoiyxopgcpy.exe 3324 xidoeloehsn.exe 5504 nezvkhbqngicgazpbaja.exe 3376 cuqndbwmkehchcctggqie.exe 1468 zmdvgzpatigwwmht.exe 5968 pexrezrezqqikcznxu.exe 2988 xidoeloehsn.exe 2132 gumfrlcoiyxopgcpy.exe 2592 xidoeloehsn.exe 5776 gumfrlcoiyxopgcpy.exe 4264 xidoeloehsn.exe 2904 nezvkhbqngicgazpbaja.exe 4796 xidoeloehsn.exe 4812 cuqndbwmkehchcctggqie.exe 4884 gumfrlcoiyxopgcpy.exe 4368 xidoeloehsn.exe 460 nezvkhbqngicgazpbaja.exe 4900 gumfrlcoiyxopgcpy.exe 5032 xidoeloehsn.exe 5108 zmdvgzpatigwwmht.exe 5068 zmdvgzpatigwwmht.exe 3452 xidoeloehsn.exe 1724 nezvkhbqngicgazpbaja.exe 3032 gumfrlcoiyxopgcpy.exe 2340 xidoeloehsn.exe 712 zmdvgzpatigwwmht.exe 784 gumfrlcoiyxopgcpy.exe 5448 zmdvgzpatigwwmht.exe 4268 gumfrlcoiyxopgcpy.exe 2792 xidoeloehsn.exe 1504 gumfrlcoiyxopgcpy.exe 3224 xidoeloehsn.exe 5692 zmdvgzpatigwwmht.exe 5212 cuqndbwmkehchcctggqie.exe 3756 aqkftpiwsklehaynywe.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc nqxfgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power nqxfgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys nqxfgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc nqxfgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager nqxfgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys nqxfgp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" nqxfgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "nezvkhbqngicgazpbaja.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." nqxfgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "zmdvgzpatigwwmht.exe ." nqxfgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." nqxfgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "zmdvgzpatigwwmht.exe" nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "cuqndbwmkehchcctggqie.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "cuqndbwmkehchcctggqie.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "gumfrlcoiyxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." nqxfgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." xidoeloehsn.exe -
Checks whether UAC is enabled 1 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nqxfgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" nqxfgp.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.showmyipaddress.com 1 whatismyip.everdot.org 1 www.whatismyip.ca 1 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf nqxfgp.exe File created C:\autorun.inf nqxfgp.exe File opened for modification F:\autorun.inf nqxfgp.exe File created F:\autorun.inf nqxfgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq nqxfgp.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe nqxfgp.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa nqxfgp.exe File created C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa nqxfgp.exe File opened for modification C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq nqxfgp.exe File created C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq nqxfgp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File created C:\Windows\ecehdhieiirsdekhagwuwzv.awa nqxfgp.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe nqxfgp.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe nqxfgp.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe nqxfgp.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe File opened for modification C:\Windows\zmdvgzpatigwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\pexrezrezqqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe xidoeloehsn.exe File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe xidoeloehsn.exe File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe xidoeloehsn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xidoeloehsn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuqndbwmkehchcctggqie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqkftpiwsklehaynywe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmdvgzpatigwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pexrezrezqqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezvkhbqngicgazpbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gumfrlcoiyxopgcpy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 2012 nqxfgp.exe 2012 nqxfgp.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 2012 nqxfgp.exe 2012 nqxfgp.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 nqxfgp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3776 wrote to memory of 3252 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 78 PID 3776 wrote to memory of 3252 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 78 PID 3776 wrote to memory of 3252 3776 JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe 78 PID 1896 wrote to memory of 5320 1896 cmd.exe 81 PID 1896 wrote to memory of 5320 1896 cmd.exe 81 PID 1896 wrote to memory of 5320 1896 cmd.exe 81 PID 3696 wrote to memory of 4788 3696 cmd.exe 84 PID 3696 wrote to memory of 4788 3696 cmd.exe 84 PID 3696 wrote to memory of 4788 3696 cmd.exe 84 PID 4788 wrote to memory of 4808 4788 pexrezrezqqikcznxu.exe 86 PID 4788 wrote to memory of 4808 4788 pexrezrezqqikcznxu.exe 86 PID 4788 wrote to memory of 4808 4788 pexrezrezqqikcznxu.exe 86 PID 4760 wrote to memory of 4920 4760 cmd.exe 88 PID 4760 wrote to memory of 4920 4760 cmd.exe 88 PID 4760 wrote to memory of 4920 4760 cmd.exe 88 PID 5024 wrote to memory of 4864 5024 cmd.exe 91 PID 5024 wrote to memory of 4864 5024 cmd.exe 91 PID 5024 wrote to memory of 4864 5024 cmd.exe 91 PID 4864 wrote to memory of 5056 4864 cuqndbwmkehchcctggqie.exe 96 PID 4864 wrote to memory of 5056 4864 cuqndbwmkehchcctggqie.exe 96 PID 4864 wrote to memory of 5056 4864 cuqndbwmkehchcctggqie.exe 96 PID 3588 wrote to memory of 5584 3588 cmd.exe 97 PID 3588 wrote to memory of 5584 3588 cmd.exe 97 PID 3588 wrote to memory of 5584 3588 cmd.exe 97 PID 4996 wrote to memory of 5076 4996 cmd.exe 98 PID 4996 wrote to memory of 5076 4996 cmd.exe 98 PID 4996 wrote to memory of 5076 4996 cmd.exe 98 PID 5076 wrote to memory of 4652 5076 cuqndbwmkehchcctggqie.exe 99 PID 5076 wrote to memory of 4652 5076 cuqndbwmkehchcctggqie.exe 99 PID 5076 wrote to memory of 4652 5076 cuqndbwmkehchcctggqie.exe 99 PID 2324 wrote to memory of 464 2324 cmd.exe 102 PID 2324 wrote to memory of 464 2324 cmd.exe 102 PID 2324 wrote to memory of 464 2324 cmd.exe 102 PID 5644 wrote to memory of 5480 5644 cmd.exe 105 PID 5644 wrote to memory of 5480 5644 cmd.exe 105 PID 5644 wrote to memory of 5480 5644 cmd.exe 105 PID 5480 wrote to memory of 5772 5480 cuqndbwmkehchcctggqie.exe 106 PID 5480 wrote to memory of 5772 5480 cuqndbwmkehchcctggqie.exe 106 PID 5480 wrote to memory of 5772 5480 cuqndbwmkehchcctggqie.exe 106 PID 3252 wrote to memory of 2012 3252 xidoeloehsn.exe 107 PID 3252 wrote to memory of 2012 3252 xidoeloehsn.exe 107 PID 3252 wrote to memory of 2012 3252 xidoeloehsn.exe 107 PID 3252 wrote to memory of 4560 3252 xidoeloehsn.exe 108 PID 3252 wrote to memory of 4560 3252 xidoeloehsn.exe 108 PID 3252 wrote to memory of 4560 3252 xidoeloehsn.exe 108 PID 4084 wrote to memory of 1488 4084 cmd.exe 111 PID 4084 wrote to memory of 1488 4084 cmd.exe 111 PID 4084 wrote to memory of 1488 4084 cmd.exe 111 PID 3036 wrote to memory of 5532 3036 cmd.exe 114 PID 3036 wrote to memory of 5532 3036 cmd.exe 114 PID 3036 wrote to memory of 5532 3036 cmd.exe 114 PID 3128 wrote to memory of 6128 3128 cmd.exe 117 PID 3128 wrote to memory of 6128 3128 cmd.exe 117 PID 3128 wrote to memory of 6128 3128 cmd.exe 117 PID 5532 wrote to memory of 6140 5532 aqkftpiwsklehaynywe.exe 120 PID 5532 wrote to memory of 6140 5532 aqkftpiwsklehaynywe.exe 120 PID 5532 wrote to memory of 6140 5532 aqkftpiwsklehaynywe.exe 120 PID 5716 wrote to memory of 4572 5716 cmd.exe 219 PID 5716 wrote to memory of 4572 5716 cmd.exe 219 PID 5716 wrote to memory of 4572 5716 cmd.exe 219 PID 3656 wrote to memory of 5212 3656 cmd.exe 228 PID 3656 wrote to memory of 5212 3656 cmd.exe 228 PID 3656 wrote to memory of 5212 3656 cmd.exe 228 PID 5756 wrote to memory of 1520 5756 cmd.exe 130 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nqxfgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nqxfgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵
- Executes dropped EXE
PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵
- Executes dropped EXE
PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵
- Executes dropped EXE
PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵
- Executes dropped EXE
PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Executes dropped EXE
PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Executes dropped EXE
PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵
- Executes dropped EXE
PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵
- Executes dropped EXE
PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵
- Executes dropped EXE
PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5716 -
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵
- Executes dropped EXE
PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:5928
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵
- Executes dropped EXE
PID:3756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:2244
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵
- Executes dropped EXE
PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:420
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- Executes dropped EXE
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵
- Executes dropped EXE
PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- Executes dropped EXE
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Executes dropped EXE
PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵
- Executes dropped EXE
PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵
- Executes dropped EXE
PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5840
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵
- Executes dropped EXE
PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2728
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵
- Executes dropped EXE
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵
- Executes dropped EXE
PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:2372
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵
- Executes dropped EXE
PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:4224
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵
- Executes dropped EXE
PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵
- Executes dropped EXE
PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- Executes dropped EXE
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:3236
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:3752
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:732
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵
- Executes dropped EXE
PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:1952
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵
- Executes dropped EXE
PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:5416
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵
- Executes dropped EXE
PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5112
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- Executes dropped EXE
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵
- Executes dropped EXE
PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5008
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵
- Executes dropped EXE
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4572
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵
- Executes dropped EXE
PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:1436
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:5756
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:3948
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:1356
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:2648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:3400
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5600
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:4708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4368
-
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:4840
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:3504
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:3708
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:2888
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:4484
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:5576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:3004
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:2444
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:3592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4396
-
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:2924
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:2648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5832
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:5424
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:2828
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5136
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:4900
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:4848
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:4988
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:3516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:3180
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:1952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:4376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1504
-
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5812
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:1584
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:2952
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5496
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:1964
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:2400
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:2192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2600
-
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:964
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:420
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:6044
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:4208
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:4772
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:800
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:1236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:4916
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5096
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:3884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3708
-
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:1712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:5540
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5980
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5928
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:5712
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4724
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:1136
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:4536
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:2192
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:2728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:4852
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2492
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:4604
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:3196
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:5128
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:2084
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:5444
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:5576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:5352
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:5572
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:3552
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:2444
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:1984
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:1348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:5788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:1112
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:3352
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:3356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3760
-
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:3316
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:5780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:3868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:680
-
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2476
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:6028
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:1980
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:3584
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5068
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:4484
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:4656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5716
-
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:5160
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:4552
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:788
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:2484
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:3948
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:864
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:4732
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5412
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:6056
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:3040
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:4760
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:1724
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5448
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5568
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:3956
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:2760
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:2404
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4800
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:4780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5528
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:1184
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:3400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:4528
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:1880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5872
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:4632
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:3712
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:1208
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5552
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:3128
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5928
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:2612
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2252
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5904
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:3208
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:1996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4800
-
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:1372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4680
-
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:2828
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:4960
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:2728
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:1968
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:3580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4888
-
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:4752
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:1860
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:3180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5912
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5924
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:3756
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:5708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:5580
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:5712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:4664
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:5280
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:5424
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:920
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:2196
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4980
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1384
-
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:3040
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:3224
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:3172
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:1872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:3780
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:2288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1392
-
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:4452
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:2788
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:3900
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:228 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:1904
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:3760
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:5528
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:3136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:4864
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5064
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:1128
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:3408
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:3616
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:5048
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:1488
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4624
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:2840
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:436
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2820
-
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2408
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:1028
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:3496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5496
-
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:6112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe1⤵PID:2788
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:2404
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5788
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:4480
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:5336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .2⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:1472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:5488
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4556
-
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:5664
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:4164
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:3260
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5276
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe1⤵PID:6116
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:5352
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .2⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:4664
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5396
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:3624
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .1⤵PID:2368
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exeC:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .2⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:1132
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .1⤵PID:5364
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe .2⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe1⤵PID:4848
-
C:\Windows\aqkftpiwsklehaynywe.exeaqkftpiwsklehaynywe.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .1⤵PID:5504
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe .2⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .1⤵PID:2992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:1384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exeC:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .2⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."3⤵PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:2364
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .1⤵PID:5172
-
C:\Windows\pexrezrezqqikcznxu.exepexrezrezqqikcznxu.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe1⤵PID:5068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:404
-
-
C:\Windows\gumfrlcoiyxopgcpy.exegumfrlcoiyxopgcpy.exe2⤵PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .1⤵PID:1140
-
C:\Windows\zmdvgzpatigwwmht.exezmdvgzpatigwwmht.exe .2⤵PID:5692
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe1⤵PID:3224
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe2⤵PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe1⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exeC:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exeC:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .2⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe1⤵PID:5076
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .1⤵PID:2760
-
C:\Windows\nezvkhbqngicgazpbaja.exenezvkhbqngicgazpbaja.exe .2⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe1⤵PID:5416
-
C:\Windows\cuqndbwmkehchcctggqie.execuqndbwmkehchcctggqie.exe2⤵PID:2192
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c8cc48c2b323fdc7b022fb6e05242190
SHA1c8f7f5cf1db2c50c3ab7c659b3b745b6c3b04766
SHA256ba6d370affc10b641d3382fcc03072a9e5d9c63f94c2ee8a6370e93829343628
SHA512e2c65f0fd518eb3d57fd50855867eb26065e94a216c06386a765df5a707f6afa9f66a06011ae485fa91e0c5d494681ff89e84a2a80f96de0c174737482c46855
-
Filesize
280B
MD5668d48acb11fd87e03ca83902c4a5ed5
SHA1c94b920c2f5543467538902487e4d8a98800e5c7
SHA256bffa5013cee684218b7ef5dd31134a3d378c4a6404814319ee0625220b6ea475
SHA5122f21a862a5bd5073cb61e304778141c84c81cd8a6ea78ff91b6d8fee1459102d818e73c94534bcc10b1bf7a5701f06fc27c32d7792fdaa08f9fca351b4824db8
-
Filesize
280B
MD512f11b011b2130f2395a2228a5b50515
SHA1b9f3f1425f0e8a2554084a5d71e931d2ca6f1900
SHA25641b3769ce19dd036ce21b124cd9bbedcd3c0736d728bfd84cfd7fa977ed871fd
SHA5129e5a63c579e36b08bcf7ccfcb64591db22cde78fcfd8eaf00573efe027d424e771d5ff2fceb28e644612ef9a2ca236c8c1e8f222d48f709d9836e5aa5e3be496
-
Filesize
280B
MD554e7106b08c9f7a58a23b90b06cd0f5c
SHA1ac174fc011680836627156a8f162a660a629e812
SHA2567a57577194a5b1fe7325558823e9c752e9cdf31b69c74a6b9c7e3d5413e8e9f3
SHA5125fb32d4a6c9eec7435ac7514cc93d3f0242ed39c6091ce59b1307a0f4c12058d33ac86dc40deba33ec5c9e8cf9071e1c8b80fb955044b4f18e9c17aec02139ff
-
Filesize
280B
MD5e96c7d50dfc0f11db2dfbafc8fc3f376
SHA1d1c2b9bcb624027401802904d8911967d68ee4b8
SHA256a8b8fc7eddcf47c4a2b76bd27f0585f480630a5f78e9a4f38b2cccf3a6d33731
SHA512b91c32765c05787e5197fdaeb2e95ef266d4acc04399844994f3af8672319af55519b7ad3e62ead23387ef8e0780dfed1900b79dfe58fa314ed99b76c638528c
-
Filesize
280B
MD51c8634738c3f6db0e7515dad42331e3e
SHA15495eab1a8cc603dbc9a6c1a4aeee503f694bab4
SHA256a595214ea1c26ca9af4909d79d97cd8f7f461526be9377e0bcd86a009cf4f12a
SHA512bac621e93b58bcb689555799bab345d1c13b2c6f0256f20448c0be16dfc229353e40f01890b3c0bcfb2af00f36fbaaecd81237e7efaec765d251f7405eced123
-
Filesize
708KB
MD55e6aee15c8fa260ee5ced7b5880cf71b
SHA199a790c3928f56bef630cda62b04b7378630f005
SHA25618200fb5fb179ac35a1feb0e7f26bf5462424e6c844e0745eac9f1ce0d6e6ca0
SHA512c73beda79fc6bf92131cdde1c8b4dbddef3472abc4cb1df2663627212ecbb252dcc8934e7e27c51cb53ccd260b9c31c21f440dda98ec371065e36eacf51b18de
-
Filesize
320KB
MD5bbab93c524d89d5ec7c7e314d34c3247
SHA156b345bdea006a61c5c91d61399b10070c187150
SHA2568bf6a25f945237a78265c051e06f71ce9b67c4474bb395acf30a5ddcec8b320f
SHA51250e8e362697874519b025e1690793a1fcbb4621b00716c796de3fd8bb830ea8d0851e434045dc5519890b1e3ef5675fdac72afbbf096a321dc2b52f9a962c053
-
Filesize
280B
MD5fe2acf124ec44cf617717aa25f0eb795
SHA16ccbc165b4593a35a14ea1a19d07ecfdaf1593e3
SHA2566c8c80a5d8f111b468cd76cb2fa1506b35b555bc7c021c7260642c05b12172bc
SHA51204f1b0ca3f1c8c524938e768abc5093dcc5918f06baf9a2ad34ab31bc7662fe8bbedd3f8f24b003377262a63dae5f812fa91de5c4a27072432c9b1bec119b9d3
-
Filesize
4KB
MD5cec591a078094e29652b146e13b00498
SHA1dd156de15dfe953f6618fe9d75cd58c06836a5c6
SHA2561b225dfafd0434a6f78b2c03e44c83e6b3aad6701ecefc45ff2308e0f9de69c5
SHA512e3ca149a632f36a91549c864b86acd5fbaa53c057c0c2911981fe60eae32e84924ece3f51b88a0a5f018767abb779ad242f78fa386f3c5023a577e0c6033d0ff
-
Filesize
640KB
MD5c80e476ddc2450c7d1bf465e8796f0d6
SHA1c01e78777fbd41c983942ef10546613ce2537f5b
SHA256cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
SHA5126adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832