Analysis
-
max time kernel
56s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250411-en -
resource tags
arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe
Resource
win11-20250411-en
General
-
Target
JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe
-
Size
976KB
-
MD5
c95a495a4c01031dd2c777a44c3fc9e4
-
SHA1
51084a46294dd634450c6ac27d9ef870438c4d70
-
SHA256
915d73145ca41654c2bd3a3b908de8f2df454c97bb351237bd5498b9954c789a
-
SHA512
152a18025948bc9d36f132eed09b3266c97843e0c6c110a3c35d51eeab48d360ca3ad26d25282b935681348eb0731aca6434b162a58e1996cc18e3aa48e1dcd6
-
SSDEEP
24576:6xsKXa+hHyWseBg/RfMMMMM2MMMMMoGQS5pv8:6xbbtyWxBg/RfMMMMM2MMMMMTQw8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" oonjvdbdyyx.exe -
Pykspa family
-
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000500000002a800-4.dat family_pykspa behavioral2/files/0x001c00000002b08d-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "hdcujdxtohziqvqhozdz.exe" wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "atpeqhyrjzouzbthl.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "tlgufvldujxcghyl.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "upnesleztlckrvpflvy.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hpaefl = "jdaqdvnharhouxqfkt.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\glt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe Set value (int) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe -
Executes dropped EXE 64 IoCs
pid Process 3788 oonjvdbdyyx.exe 4356 upnesleztlckrvpflvy.exe 4872 atpeqhyrjzouzbthl.exe 5084 oonjvdbdyyx.exe 4016 hdcujdxtohziqvqhozdz.exe 4876 upnesleztlckrvpflvy.exe 2300 wttmcxsplfyirxtltfkhh.exe 1148 oonjvdbdyyx.exe 2460 hdcujdxtohziqvqhozdz.exe 4528 oonjvdbdyyx.exe 3288 wttmcxsplfyirxtltfkhh.exe 4772 hdcujdxtohziqvqhozdz.exe 3936 oonjvdbdyyx.exe 5300 wdnqq.exe 2116 wdnqq.exe 1872 wttmcxsplfyirxtltfkhh.exe 3916 atpeqhyrjzouzbthl.exe 492 wttmcxsplfyirxtltfkhh.exe 6124 oonjvdbdyyx.exe 1440 upnesleztlckrvpflvy.exe 1200 upnesleztlckrvpflvy.exe 3344 oonjvdbdyyx.exe 3092 hdcujdxtohziqvqhozdz.exe 4512 atpeqhyrjzouzbthl.exe 3364 wttmcxsplfyirxtltfkhh.exe 1744 oonjvdbdyyx.exe 348 atpeqhyrjzouzbthl.exe 1656 hdcujdxtohziqvqhozdz.exe 3736 tlgufvldujxcghyl.exe 2680 tlgufvldujxcghyl.exe 2948 oonjvdbdyyx.exe 420 oonjvdbdyyx.exe 3452 atpeqhyrjzouzbthl.exe 1876 oonjvdbdyyx.exe 1224 jdaqdvnharhouxqfkt.exe 1764 wttmcxsplfyirxtltfkhh.exe 2592 atpeqhyrjzouzbthl.exe 1560 tlgufvldujxcghyl.exe 5000 oonjvdbdyyx.exe 2912 oonjvdbdyyx.exe 4644 wttmcxsplfyirxtltfkhh.exe 5824 oonjvdbdyyx.exe 1092 wttmcxsplfyirxtltfkhh.exe 5936 wttmcxsplfyirxtltfkhh.exe 4500 oonjvdbdyyx.exe 5052 jdaqdvnharhouxqfkt.exe 4188 tlgufvldujxcghyl.exe 3944 oonjvdbdyyx.exe 2300 jdaqdvnharhouxqfkt.exe 5576 wttmcxsplfyirxtltfkhh.exe 2880 oonjvdbdyyx.exe 5984 upnesleztlckrvpflvy.exe 3360 hdcujdxtohziqvqhozdz.exe 2892 oonjvdbdyyx.exe 2636 tlgufvldujxcghyl.exe 4732 hdcujdxtohziqvqhozdz.exe 1068 jdaqdvnharhouxqfkt.exe 5276 upnesleztlckrvpflvy.exe 2124 upnesleztlckrvpflvy.exe 4728 hdcujdxtohziqvqhozdz.exe 5996 oonjvdbdyyx.exe 568 tlgufvldujxcghyl.exe 5420 hdcujdxtohziqvqhozdz.exe 2488 oonjvdbdyyx.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc wdnqq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power wdnqq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys wdnqq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc wdnqq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager wdnqq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys wdnqq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe ." wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "tlgufvldujxcghyl.exe ." wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe ." wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "upnesleztlckrvpflvy.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "upnesleztlckrvpflvy.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "jdaqdvnharhouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "jdaqdvnharhouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "atpeqhyrjzouzbthl.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "atpeqhyrjzouzbthl.exe ." wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "upnesleztlckrvpflvy.exe ." wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "tlgufvldujxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "wttmcxsplfyirxtltfkhh.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe" wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "hdcujdxtohziqvqhozdz.exe ." wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlgufvldujxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe ." wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "tlgufvldujxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "atpeqhyrjzouzbthl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "tlgufvldujxcghyl.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "upnesleztlckrvpflvy.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "hdcujdxtohziqvqhozdz.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "wttmcxsplfyirxtltfkhh.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "tlgufvldujxcghyl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "jdaqdvnharhouxqfkt.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\alzgktcnx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upnesleztlckrvpflvy.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "wttmcxsplfyirxtltfkhh.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "tlgufvldujxcghyl.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jtgmpxfp = "hdcujdxtohziqvqhozdz.exe ." wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wttmcxsplfyirxtltfkhh.exe ." oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntce = "jdaqdvnharhouxqfkt.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfuchrbnyh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe" oonjvdbdyyx.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "jdaqdvnharhouxqfkt.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\Run\udpuwdk = "wttmcxsplfyirxtltfkhh.exe" wdnqq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpeqhyrjzouzbthl.exe ." wdnqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wdnqq = "atpeqhyrjzouzbthl.exe ." oonjvdbdyyx.exe -
Checks whether UAC is enabled 1 TTPs 54 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wdnqq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oonjvdbdyyx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wdnqq.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.whatismyip.ca 1 whatismyip.everdot.org 1 whatismyipaddress.com 1 www.showmyipaddress.com 8 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe wdnqq.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe wdnqq.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe wdnqq.exe File opened for modification C:\Windows\SysWOW64\atpeqhyrjzouzbthl.exe wdnqq.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\SysWOW64\upnesleztlckrvpflvy.exe wdnqq.exe File opened for modification C:\Windows\SysWOW64\gltusvydhjkcthllbvinvwuxa.jlm wdnqq.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\lbugpdrhwjvyazozafdtmyhvjzobnqsrgrsx.leq wdnqq.exe File created C:\Program Files (x86)\lbugpdrhwjvyazozafdtmyhvjzobnqsrgrsx.leq wdnqq.exe File opened for modification C:\Program Files (x86)\gltusvydhjkcthllbvinvwuxa.jlm wdnqq.exe File created C:\Program Files (x86)\gltusvydhjkcthllbvinvwuxa.jlm wdnqq.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe wdnqq.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe wdnqq.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File created C:\Windows\lbugpdrhwjvyazozafdtmyhvjzobnqsrgrsx.leq wdnqq.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\hdcujdxtohziqvqhozdz.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe wdnqq.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\upnesleztlckrvpflvy.exe oonjvdbdyyx.exe File opened for modification C:\Windows\jdaqdvnharhouxqfkt.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\atpeqhyrjzouzbthl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\tlgufvldujxcghyl.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\wttmcxsplfyirxtltfkhh.exe oonjvdbdyyx.exe File opened for modification C:\Windows\nlmgxtpnkfzkubyrantrsm.exe oonjvdbdyyx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oonjvdbdyyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnesleztlckrvpflvy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wttmcxsplfyirxtltfkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdcujdxtohziqvqhozdz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlgufvldujxcghyl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atpeqhyrjzouzbthl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdaqdvnharhouxqfkt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 5300 wdnqq.exe 5300 wdnqq.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 5300 wdnqq.exe 5300 wdnqq.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5300 wdnqq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3788 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 78 PID 2752 wrote to memory of 3788 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 78 PID 2752 wrote to memory of 3788 2752 JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe 78 PID 5944 wrote to memory of 4356 5944 cmd.exe 81 PID 5944 wrote to memory of 4356 5944 cmd.exe 81 PID 5944 wrote to memory of 4356 5944 cmd.exe 81 PID 4792 wrote to memory of 4872 4792 cmd.exe 84 PID 4792 wrote to memory of 4872 4792 cmd.exe 84 PID 4792 wrote to memory of 4872 4792 cmd.exe 84 PID 4872 wrote to memory of 5084 4872 atpeqhyrjzouzbthl.exe 87 PID 4872 wrote to memory of 5084 4872 atpeqhyrjzouzbthl.exe 87 PID 4872 wrote to memory of 5084 4872 atpeqhyrjzouzbthl.exe 87 PID 3180 wrote to memory of 4016 3180 cmd.exe 88 PID 3180 wrote to memory of 4016 3180 cmd.exe 88 PID 3180 wrote to memory of 4016 3180 cmd.exe 88 PID 4288 wrote to memory of 4876 4288 cmd.exe 91 PID 4288 wrote to memory of 4876 4288 cmd.exe 91 PID 4288 wrote to memory of 4876 4288 cmd.exe 91 PID 1772 wrote to memory of 2300 1772 cmd.exe 94 PID 1772 wrote to memory of 2300 1772 cmd.exe 94 PID 1772 wrote to memory of 2300 1772 cmd.exe 94 PID 4876 wrote to memory of 1148 4876 upnesleztlckrvpflvy.exe 97 PID 4876 wrote to memory of 1148 4876 upnesleztlckrvpflvy.exe 97 PID 4876 wrote to memory of 1148 4876 upnesleztlckrvpflvy.exe 97 PID 4672 wrote to memory of 2460 4672 cmd.exe 98 PID 4672 wrote to memory of 2460 4672 cmd.exe 98 PID 4672 wrote to memory of 2460 4672 cmd.exe 98 PID 2460 wrote to memory of 4528 2460 hdcujdxtohziqvqhozdz.exe 99 PID 2460 wrote to memory of 4528 2460 hdcujdxtohziqvqhozdz.exe 99 PID 2460 wrote to memory of 4528 2460 hdcujdxtohziqvqhozdz.exe 99 PID 4532 wrote to memory of 3288 4532 cmd.exe 102 PID 4532 wrote to memory of 3288 4532 cmd.exe 102 PID 4532 wrote to memory of 3288 4532 cmd.exe 102 PID 432 wrote to memory of 4772 432 cmd.exe 105 PID 432 wrote to memory of 4772 432 cmd.exe 105 PID 432 wrote to memory of 4772 432 cmd.exe 105 PID 4772 wrote to memory of 3936 4772 hdcujdxtohziqvqhozdz.exe 106 PID 4772 wrote to memory of 3936 4772 hdcujdxtohziqvqhozdz.exe 106 PID 4772 wrote to memory of 3936 4772 hdcujdxtohziqvqhozdz.exe 106 PID 3788 wrote to memory of 5300 3788 oonjvdbdyyx.exe 107 PID 3788 wrote to memory of 5300 3788 oonjvdbdyyx.exe 107 PID 3788 wrote to memory of 5300 3788 oonjvdbdyyx.exe 107 PID 3788 wrote to memory of 2116 3788 oonjvdbdyyx.exe 108 PID 3788 wrote to memory of 2116 3788 oonjvdbdyyx.exe 108 PID 3788 wrote to memory of 2116 3788 oonjvdbdyyx.exe 108 PID 4724 wrote to memory of 1872 4724 cmd.exe 113 PID 4724 wrote to memory of 1872 4724 cmd.exe 113 PID 4724 wrote to memory of 1872 4724 cmd.exe 113 PID 1684 wrote to memory of 3916 1684 cmd.exe 114 PID 1684 wrote to memory of 3916 1684 cmd.exe 114 PID 1684 wrote to memory of 3916 1684 cmd.exe 114 PID 1852 wrote to memory of 492 1852 cmd.exe 225 PID 1852 wrote to memory of 492 1852 cmd.exe 225 PID 1852 wrote to memory of 492 1852 cmd.exe 225 PID 492 wrote to memory of 6124 492 wttmcxsplfyirxtltfkhh.exe 120 PID 492 wrote to memory of 6124 492 wttmcxsplfyirxtltfkhh.exe 120 PID 492 wrote to memory of 6124 492 wttmcxsplfyirxtltfkhh.exe 120 PID 236 wrote to memory of 1440 236 cmd.exe 230 PID 236 wrote to memory of 1440 236 cmd.exe 230 PID 236 wrote to memory of 1440 236 cmd.exe 230 PID 2968 wrote to memory of 1200 2968 cmd.exe 128 PID 2968 wrote to memory of 1200 2968 cmd.exe 128 PID 2968 wrote to memory of 1200 2968 cmd.exe 128 PID 1440 wrote to memory of 3344 1440 upnesleztlckrvpflvy.exe 129 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wdnqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wdnqq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" oonjvdbdyyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oonjvdbdyyx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c95a495a4c01031dd2c777a44c3fc9e4.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\wdnqq.exe"C:\Users\Admin\AppData\Local\Temp\wdnqq.exe" "-C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5300
-
-
C:\Users\Admin\AppData\Local\Temp\wdnqq.exe"C:\Users\Admin\AppData\Local\Temp\wdnqq.exe" "-C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5944 -
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵
- Executes dropped EXE
PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵
- Executes dropped EXE
PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Executes dropped EXE
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵
- Executes dropped EXE
PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Executes dropped EXE
PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵
- Executes dropped EXE
PID:3916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Executes dropped EXE
PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵
- Executes dropped EXE
PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵
- Executes dropped EXE
PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:660
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:4368
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵
- Executes dropped EXE
PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵
- Executes dropped EXE
PID:348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:3988
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- Executes dropped EXE
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Executes dropped EXE
PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Executes dropped EXE
PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵
- Executes dropped EXE
PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵
- Executes dropped EXE
PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵
- Executes dropped EXE
PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- Executes dropped EXE
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Executes dropped EXE
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵
- Executes dropped EXE
PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵
- Executes dropped EXE
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵
- Executes dropped EXE
PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:4960
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4648
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- Executes dropped EXE
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Executes dropped EXE
PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:1768
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵
- Executes dropped EXE
PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:5892
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- Executes dropped EXE
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Executes dropped EXE
PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵
- Executes dropped EXE
PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵
- Executes dropped EXE
PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:4524
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵
- Executes dropped EXE
PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:2456
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵
- Executes dropped EXE
PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:3152
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5836
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:3264
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵
- Executes dropped EXE
PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:1740
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵
- Executes dropped EXE
PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:6048
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵
- Executes dropped EXE
PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵
- Executes dropped EXE
PID:568 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:4480
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- Executes dropped EXE
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:5712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:492
-
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:964
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1440
-
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:1428
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:3144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:1360
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:5888
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:6000
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:5796
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:2308
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:2936
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:4520
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:4464
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:6068
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:1568
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5684
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:5880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:4720
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:4120
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:2848
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:3800
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:1048
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:3772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5824
-
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:4776
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:2336
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:5068
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:4524
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5280
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:580
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:3748
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:1568
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:4964
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:3556
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:3676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6008
-
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:964
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:5992
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:2332
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:3020
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:3204
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:5948
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5924
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:5608
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:4664
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5984
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:3152
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:3164
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5420
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:1540
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:2240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1340
-
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:5684
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:3144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:2200
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:5076
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:5236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:5716
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:1236
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:1168
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:4992
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:1648
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5748
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:2020
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5580
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:4924
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:5824
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:6008
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:3980
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:424
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:2648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4672
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:4884
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:1824
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:5620
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4788
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:6020
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:336
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5056
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:3204
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5036
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:2456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:3496
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:1524
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:5372
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:1328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:4652
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:3876
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:1816
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:2492
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:6132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:5092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:5952
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:5608
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:4444
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:4796
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:3540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3844
-
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:1892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5916
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:2776
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:2712
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:5392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:1424
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:5836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:3548
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:4516
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:792
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:4196
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:420
-
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:2480
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:1052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4672
-
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:1136
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:4700
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:5360
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:4296
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:944
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:4140
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:3124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:1384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4320
-
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:2744
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:732
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5172
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:864
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:236
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1504
-
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1716
-
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:564
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:1048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:3288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:560
-
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:5924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:472
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:2784
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:988
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:2316
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:4804
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:4900
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:5380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:5708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:5392
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe .1⤵PID:432
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe .2⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:1572
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:732
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:5044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5172
-
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:5880
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:3676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:1492
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:1048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5528
-
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:1796
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:2736
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:5076
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:1544
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:2532
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:1508
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:5956
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:2844
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:3476
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\tlgufvldujxcghyl.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:2968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3908
-
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:2128
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:3164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3000
-
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:4592
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:1684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5720
-
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:4456
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:6120
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:5336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:3184
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:3632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:5116
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:5156
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:1312
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5848
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe1⤵PID:5280
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:5568
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4188
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:3804
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:1064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5772
-
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:4664
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:1924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:956
-
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:1060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:4128
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:4928
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:2344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:1080
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:4372
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:4012
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:5796
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:1236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exeC:\Users\Admin\AppData\Local\Temp\tlgufvldujxcghyl.exe2⤵PID:660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hdcujdxtohziqvqhozdz.exe1⤵PID:5888
-
C:\Windows\hdcujdxtohziqvqhozdz.exehdcujdxtohziqvqhozdz.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:4792
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:440
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe .1⤵PID:4712
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\upnesleztlckrvpflvy.exe*."3⤵PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe1⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exeC:\Users\Admin\AppData\Local\Temp\hdcujdxtohziqvqhozdz.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\hdcujdxtohziqvqhozdz.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe1⤵PID:2196
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:4744
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe1⤵PID:2328
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe2⤵PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tlgufvldujxcghyl.exe .1⤵PID:3852
-
C:\Windows\tlgufvldujxcghyl.exetlgufvldujxcghyl.exe .2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\tlgufvldujxcghyl.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe .2⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:3688
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdaqdvnharhouxqfkt.exe .1⤵PID:5224
-
C:\Windows\jdaqdvnharhouxqfkt.exejdaqdvnharhouxqfkt.exe .2⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\jdaqdvnharhouxqfkt.exe*."3⤵PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:4196
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:4264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3548
-
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe1⤵PID:3164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exeC:\Users\Admin\AppData\Local\Temp\wttmcxsplfyirxtltfkhh.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe .2⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\atpeqhyrjzouzbthl.exe*."3⤵PID:1788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:6052
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4256
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c upnesleztlckrvpflvy.exe1⤵PID:2656
-
C:\Windows\upnesleztlckrvpflvy.exeupnesleztlckrvpflvy.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wttmcxsplfyirxtltfkhh.exe .1⤵PID:4088
-
C:\Windows\wttmcxsplfyirxtltfkhh.exewttmcxsplfyirxtltfkhh.exe .2⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\wttmcxsplfyirxtltfkhh.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exeC:\Users\Admin\AppData\Local\Temp\atpeqhyrjzouzbthl.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .1⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe .2⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\jdaqdvnharhouxqfkt.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe1⤵PID:5812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exeC:\Users\Admin\AppData\Local\Temp\jdaqdvnharhouxqfkt.exe2⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exeC:\Users\Admin\AppData\Local\Temp\upnesleztlckrvpflvy.exe .2⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\users\admin\appdata\local\temp\upnesleztlckrvpflvy.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe1⤵PID:1544
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atpeqhyrjzouzbthl.exe .1⤵PID:5628
-
C:\Windows\atpeqhyrjzouzbthl.exeatpeqhyrjzouzbthl.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe"C:\Users\Admin\AppData\Local\Temp\oonjvdbdyyx.exe" "c:\windows\atpeqhyrjzouzbthl.exe*."3⤵PID:3804
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD518ad0400d9e0da8d3b70716444628414
SHA1399b60263774637b0098c6f6aaa2f0be45db23e8
SHA2569123a5360cef46f322496ff1e4095c3307df343d05d8967df890b5b4cdfe7d44
SHA5126bf11e3f08637a1fb58008ace1c21fb5ed87fd765310df2ee145b8005029a7be9e529fb4eb7926b9084f186397914f7156005122ab358ad8d374f4b010d8fbdf
-
Filesize
272B
MD51a3ee998ee5f5a35bdb27425897fb30b
SHA1256dfd8ec89443d0cb63006cf1ad85757d45ad45
SHA2569b41a80615cb8ed3bdf905584425427022aa3dfbdbae05d9c4baf32783f7bcd6
SHA51245c3e515cf5fd4a0f80a2f8d3a9831bb56b7818483276c377f7cd6704639d06aa6602843ebfddff2dd25e7b1ce01429b8ba875a868ba86b90b6ec8f63d40f68f
-
Filesize
272B
MD58dbcfcded07baccc9cc5b56f18bbb078
SHA1c8d685b8f1e53ec5be5dc14ef43f92a5818dfac3
SHA25603303858bebe0a0f6035de1ae7d910ee7ef9439e0df8421dc37bf502d08a50b4
SHA5128c34ec4cf8278967073c99f6dcf6b760fbe5dbb6c32daea220033dd39b9fd834ec997c74cde0e5957270fa5d08d82d369ba4565b9eb1e3856ff7dc7d92dd75f8
-
Filesize
272B
MD55537f9b65f02055c747fcd66691ecb4f
SHA1cec85672719e2256a9b27866e75bcd0c279550b5
SHA256d44b6bccfe21ea6683cdeb05fc99f6cae7ba6365bab414b935aaef5251d7f794
SHA512a7e4493c7309a03b15068c37a7237bf6da515987acb5f11b7b2932fe5c7b1a4f72f68d02fd3282df12d80408b90d8de640d5d6d9c928fdc7b593d94bce6915ae
-
Filesize
272B
MD51edbac5a80ee8b4b689a36dc0fd7bf69
SHA166bb8bce10c6e5f67242a9dcd7b1bd552c92155c
SHA25605e561b66466065bfde84462ea6fcb3361f51bd503750f9d3f8474a3ebf72ae9
SHA51268057a5a009e9cef31fd3deed16ead42ba43d4059a13802b9eb469a658718fd0866646ac459e838fd58b4f8a3d38ede5629ea0c878b491bda67c5516e6484792
-
Filesize
272B
MD58f42f2feeeae2808f0e2d89136625cac
SHA1713b1fb84ad6821c585afc131dc46eafca8b7ebd
SHA2569f96378ad705f59664a0959c6cbba522fca137012053256504406d0e81c1eb8e
SHA512f15692f8cf091534e51afcf275ba4c9a1f903b6274c0ada592747a7057afd56f156661cf83abc85614f749c0b14bb4b290b65b47ceb509e16159d3af68850d8a
-
Filesize
320KB
MD51dd5dd5561723f37ccc81e15ecdbf830
SHA1eeb9131c8d276ceb710d163e89fdc62b3e111971
SHA256c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126
SHA512b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5
-
Filesize
736KB
MD56becea694a5409d14953ea1df8be3b74
SHA1568aa388ef8b47db160190df52c83b71c7133e5f
SHA256219b0e47f0adabdd318ebacc51d9fdcac4e40bcf08293669713ffa4e36ac195b
SHA512371cfd6fce4f8195beac04c2a388ecb669bb3dec00cf0441bc9ca14b32529ec9dbb4c920824269739e1c204261ab095761eda17242ef687574a1f386480a4b71
-
Filesize
272B
MD589ed0012b32b2b8bb6b7ab60386e829d
SHA10e9c289384fd2cce4d7c146febcbcbac03784150
SHA256c4e4f89a8a0e5b20cea89eb7ccf7e0220b205c0efc781d0c87410674e8d78239
SHA5124ce1652ec3362f3613a61affb05c30f7f396f2308c0259d5a7569e3fb14f8d3a479d3e774395b381f6e82feb0eec7f1c4745125bcecd5b859b21387fb904a72e
-
Filesize
3KB
MD5fee617ac7cb55ba113bf0f06f143a5aa
SHA11aaa145aae8b266d722e6e764d7e5e794c25873b
SHA2561a989878c538458d0726264d8f0874ae6dd0046d605837619683a5f56588e73b
SHA512d19b89414cb285957fb52cd850aa850f68b23ef0c20afc8b054691f1136b940e59cb5038998e0d927851fd8cde1aa11ff9c1abfc325bc9c74e1af5e39cf4eed8
-
Filesize
976KB
MD5c95a495a4c01031dd2c777a44c3fc9e4
SHA151084a46294dd634450c6ac27d9ef870438c4d70
SHA256915d73145ca41654c2bd3a3b908de8f2df454c97bb351237bd5498b9954c789a
SHA512152a18025948bc9d36f132eed09b3266c97843e0c6c110a3c35d51eeab48d360ca3ad26d25282b935681348eb0731aca6434b162a58e1996cc18e3aa48e1dcd6