Analysis
-
max time kernel
83s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c940916a51510ded99612bd93114de0d.exe
-
Size
472KB
-
MD5
c940916a51510ded99612bd93114de0d
-
SHA1
af052d166386189ab6c14e8e49831b6459c42b5f
-
SHA256
23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
-
SHA512
7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1
-
SSDEEP
6144:CIX6L0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUIoHb:CIX6gtvm1De5YlOx6lzBH46U5Hb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xidoeloehsn.exe -
Pykspa family
-
UAC bypass 3 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000b00000002ad84-4.dat family_pykspa behavioral2/files/0x001c00000002b2a5-104.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe -
Disables RegEdit via registry modification 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xidoeloehsn.exe -
Executes dropped EXE 64 IoCs
pid Process 5400 xidoeloehsn.exe 4584 brqatidpmzxopgcpy.exe 4820 ibdqmecrrhicgazpbaex.exe 5028 xidoeloehsn.exe 5116 ibdqmecrrhicgazpbaex.exe 5144 ujhqiwqbxjgwwmht.exe 3064 kbbmgwsfdrqikcznxu.exe 3732 xidoeloehsn.exe 392 vnoavmjxwllehaynywz.exe 4688 xidoeloehsn.exe 4984 vnoavmjxwllehaynywz.exe 4464 brqatidpmzxopgcpy.exe 3024 xidoeloehsn.exe 3136 xbomt.exe 5296 xbomt.exe 5564 brqatidpmzxopgcpy.exe 3128 ujhqiwqbxjgwwmht.exe 5352 xruifyxnofhchcctgglfi.exe 1688 xruifyxnofhchcctgglfi.exe 5156 xidoeloehsn.exe 5508 xidoeloehsn.exe 1432 xruifyxnofhchcctgglfi.exe 5176 brqatidpmzxopgcpy.exe 3896 vnoavmjxwllehaynywz.exe 5680 vnoavmjxwllehaynywz.exe 6040 xidoeloehsn.exe 2052 xidoeloehsn.exe 3964 kbbmgwsfdrqikcznxu.exe 5924 vnoavmjxwllehaynywz.exe 2812 ujhqiwqbxjgwwmht.exe 3580 ujhqiwqbxjgwwmht.exe 1124 xidoeloehsn.exe 3116 xidoeloehsn.exe 5160 ibdqmecrrhicgazpbaex.exe 3416 ujhqiwqbxjgwwmht.exe 4588 ujhqiwqbxjgwwmht.exe 4592 xruifyxnofhchcctgglfi.exe 824 xidoeloehsn.exe 132 xidoeloehsn.exe 1208 vnoavmjxwllehaynywz.exe 4356 xruifyxnofhchcctgglfi.exe 3628 xidoeloehsn.exe 4928 ibdqmecrrhicgazpbaex.exe 2344 xruifyxnofhchcctgglfi.exe 3564 xidoeloehsn.exe 3760 xruifyxnofhchcctgglfi.exe 4168 kbbmgwsfdrqikcznxu.exe 4352 xidoeloehsn.exe 5760 ibdqmecrrhicgazpbaex.exe 5756 kbbmgwsfdrqikcznxu.exe 3384 xidoeloehsn.exe 3500 ibdqmecrrhicgazpbaex.exe 4612 ibdqmecrrhicgazpbaex.exe 5312 brqatidpmzxopgcpy.exe 1756 xidoeloehsn.exe 1996 kbbmgwsfdrqikcznxu.exe 4448 brqatidpmzxopgcpy.exe 128 brqatidpmzxopgcpy.exe 5904 vnoavmjxwllehaynywz.exe 1420 vnoavmjxwllehaynywz.exe 5208 xidoeloehsn.exe 3304 vnoavmjxwllehaynywz.exe 1852 xidoeloehsn.exe 2240 xidoeloehsn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xbomt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xbomt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xbomt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xbomt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xbomt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xbomt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe ." xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ujhqiwqbxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ibdqmecrrhicgazpbaex.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ujhqiwqbxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ibdqmecrrhicgazpbaex.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "brqatidpmzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ibdqmecrrhicgazpbaex.exe ." xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "brqatidpmzxopgcpy.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "brqatidpmzxopgcpy.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "xruifyxnofhchcctgglfi.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ujhqiwqbxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe ." xbomt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "brqatidpmzxopgcpy.exe" xbomt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ujhqiwqbxjgwwmht.exe ." xidoeloehsn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" xidoeloehsn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "vnoavmjxwllehaynywz.exe" xidoeloehsn.exe -
Checks whether UAC is enabled 1 TTPs 54 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xbomt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xidoeloehsn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xbomt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyipaddress.com 1 whatismyip.everdot.org 1 www.showmyipaddress.com 1 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xbomt.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xbomt.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xbomt.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe xbomt.exe File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe xbomt.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\SysWOW64\yxfyaycxdzggqqvrjoyxfy.ycx xbomt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\pzswjshneldojukrukfpimzixdubtezka.kav xbomt.exe File opened for modification C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx xbomt.exe File created C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx xbomt.exe File opened for modification C:\Program Files (x86)\pzswjshneldojukrukfpimzixdubtezka.kav xbomt.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xbomt.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xbomt.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xbomt.exe File opened for modification C:\Windows\pzswjshneldojukrukfpimzixdubtezka.kav xbomt.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xbomt.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xbomt.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe xbomt.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xbomt.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xbomt.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe xidoeloehsn.exe File opened for modification C:\Windows\brqatidpmzxopgcpy.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xidoeloehsn.exe File created C:\Windows\yxfyaycxdzggqqvrjoyxfy.ycx xbomt.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe xidoeloehsn.exe File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe xidoeloehsn.exe File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe xidoeloehsn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbomt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c940916a51510ded99612bd93114de0d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brqatidpmzxopgcpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnoavmjxwllehaynywz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujhqiwqbxjgwwmht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xruifyxnofhchcctgglfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbbmgwsfdrqikcznxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ibdqmecrrhicgazpbaex.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 5296 xbomt.exe 5296 xbomt.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 5296 xbomt.exe 5296 xbomt.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5296 xbomt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 5400 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 78 PID 1752 wrote to memory of 5400 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 78 PID 1752 wrote to memory of 5400 1752 JaffaCakes118_c940916a51510ded99612bd93114de0d.exe 78 PID 3400 wrote to memory of 4584 3400 cmd.exe 81 PID 3400 wrote to memory of 4584 3400 cmd.exe 81 PID 3400 wrote to memory of 4584 3400 cmd.exe 81 PID 6112 wrote to memory of 4820 6112 cmd.exe 84 PID 6112 wrote to memory of 4820 6112 cmd.exe 84 PID 6112 wrote to memory of 4820 6112 cmd.exe 84 PID 4820 wrote to memory of 5028 4820 ibdqmecrrhicgazpbaex.exe 85 PID 4820 wrote to memory of 5028 4820 ibdqmecrrhicgazpbaex.exe 85 PID 4820 wrote to memory of 5028 4820 ibdqmecrrhicgazpbaex.exe 85 PID 5060 wrote to memory of 5116 5060 cmd.exe 88 PID 5060 wrote to memory of 5116 5060 cmd.exe 88 PID 5060 wrote to memory of 5116 5060 cmd.exe 88 PID 3812 wrote to memory of 5144 3812 cmd.exe 91 PID 3812 wrote to memory of 5144 3812 cmd.exe 91 PID 3812 wrote to memory of 5144 3812 cmd.exe 91 PID 2684 wrote to memory of 3064 2684 cmd.exe 94 PID 2684 wrote to memory of 3064 2684 cmd.exe 94 PID 2684 wrote to memory of 3064 2684 cmd.exe 94 PID 5144 wrote to memory of 3732 5144 ujhqiwqbxjgwwmht.exe 95 PID 5144 wrote to memory of 3732 5144 ujhqiwqbxjgwwmht.exe 95 PID 5144 wrote to memory of 3732 5144 ujhqiwqbxjgwwmht.exe 95 PID 5164 wrote to memory of 392 5164 cmd.exe 98 PID 5164 wrote to memory of 392 5164 cmd.exe 98 PID 5164 wrote to memory of 392 5164 cmd.exe 98 PID 392 wrote to memory of 4688 392 vnoavmjxwllehaynywz.exe 99 PID 392 wrote to memory of 4688 392 vnoavmjxwllehaynywz.exe 99 PID 392 wrote to memory of 4688 392 vnoavmjxwllehaynywz.exe 99 PID 4548 wrote to memory of 4984 4548 cmd.exe 102 PID 4548 wrote to memory of 4984 4548 cmd.exe 102 PID 4548 wrote to memory of 4984 4548 cmd.exe 102 PID 4872 wrote to memory of 4464 4872 cmd.exe 105 PID 4872 wrote to memory of 4464 4872 cmd.exe 105 PID 4872 wrote to memory of 4464 4872 cmd.exe 105 PID 4464 wrote to memory of 3024 4464 brqatidpmzxopgcpy.exe 106 PID 4464 wrote to memory of 3024 4464 brqatidpmzxopgcpy.exe 106 PID 4464 wrote to memory of 3024 4464 brqatidpmzxopgcpy.exe 106 PID 5400 wrote to memory of 3136 5400 xidoeloehsn.exe 107 PID 5400 wrote to memory of 3136 5400 xidoeloehsn.exe 107 PID 5400 wrote to memory of 3136 5400 xidoeloehsn.exe 107 PID 5400 wrote to memory of 5296 5400 xidoeloehsn.exe 108 PID 5400 wrote to memory of 5296 5400 xidoeloehsn.exe 108 PID 5400 wrote to memory of 5296 5400 xidoeloehsn.exe 108 PID 3248 wrote to memory of 5564 3248 cmd.exe 113 PID 3248 wrote to memory of 5564 3248 cmd.exe 113 PID 3248 wrote to memory of 5564 3248 cmd.exe 113 PID 5536 wrote to memory of 3128 5536 cmd.exe 114 PID 5536 wrote to memory of 3128 5536 cmd.exe 114 PID 5536 wrote to memory of 3128 5536 cmd.exe 114 PID 1708 wrote to memory of 5352 1708 cmd.exe 119 PID 1708 wrote to memory of 5352 1708 cmd.exe 119 PID 1708 wrote to memory of 5352 1708 cmd.exe 119 PID 2444 wrote to memory of 1688 2444 cmd.exe 120 PID 2444 wrote to memory of 1688 2444 cmd.exe 120 PID 2444 wrote to memory of 1688 2444 cmd.exe 120 PID 5352 wrote to memory of 5156 5352 xruifyxnofhchcctgglfi.exe 121 PID 5352 wrote to memory of 5156 5352 xruifyxnofhchcctgglfi.exe 121 PID 5352 wrote to memory of 5156 5352 xruifyxnofhchcctgglfi.exe 121 PID 1688 wrote to memory of 5508 1688 xruifyxnofhchcctgglfi.exe 122 PID 1688 wrote to memory of 5508 1688 xruifyxnofhchcctgglfi.exe 122 PID 1688 wrote to memory of 5508 1688 xruifyxnofhchcctgglfi.exe 122 PID 5216 wrote to memory of 1432 5216 cmd.exe 127 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xbomt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xbomt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xidoeloehsn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xidoeloehsn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbomt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\xbomt.exe"C:\Users\Admin\AppData\Local\Temp\xbomt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3136
-
-
C:\Users\Admin\AppData\Local\Temp\xbomt.exe"C:\Users\Admin\AppData\Local\Temp\xbomt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵
- Executes dropped EXE
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵
- Executes dropped EXE
PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5144 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:3732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵
- Executes dropped EXE
PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵
- Executes dropped EXE
PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:3024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵
- Executes dropped EXE
PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵
- Executes dropped EXE
PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Executes dropped EXE
PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Executes dropped EXE
PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:2064
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵
- Executes dropped EXE
PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:5888
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵
- Executes dropped EXE
PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:5416
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- Executes dropped EXE
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵
- Executes dropped EXE
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵
- Executes dropped EXE
PID:5924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- Executes dropped EXE
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵
- Executes dropped EXE
PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵
- Executes dropped EXE
PID:132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵
- Executes dropped EXE
PID:824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:568
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:6096
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- Executes dropped EXE
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Executes dropped EXE
PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4968
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:5028
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Executes dropped EXE
PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵
- Executes dropped EXE
PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- Executes dropped EXE
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵
- Executes dropped EXE
PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵
- Executes dropped EXE
PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- Executes dropped EXE
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:416
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵
- Executes dropped EXE
PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:3936
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵
- Executes dropped EXE
PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:2952
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵
- Executes dropped EXE
PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:2196
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:3616
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵
- Executes dropped EXE
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:768
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- Executes dropped EXE
PID:128 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵
- Executes dropped EXE
PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:2940
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- Executes dropped EXE
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵
- Executes dropped EXE
PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4860
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- Executes dropped EXE
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵
- Executes dropped EXE
PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵
- Executes dropped EXE
PID:3304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:328 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:5848
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:5180
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:1296
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:5560
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:3972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:3104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:5812
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4356
-
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2080
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:3332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:3328
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:2968
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4212
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:5000
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:3892
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:1980
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:1688
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:4408
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:3552
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:3144
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4592
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:1124
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:1236
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:3924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4584
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2080
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:2864
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1680
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:3064
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:1032
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:5032
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:4700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:556
-
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3356
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4004
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:5444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5636
-
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2700
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:788
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:1128
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:5644
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:2960
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:2272
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:564
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:3516
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4252
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:1380
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6000
-
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:2280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:5452
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:2200
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4908
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:908
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:2176
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:3592
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4260
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:1440
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:3972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:6016
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:5432
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:3400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:1900
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:920
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3348
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:4844
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4632
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:5648
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2928
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:1516
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:1436
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:3340
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:4480
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4344
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:5528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:5972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5696
-
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:3544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:5600
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:2028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:1956
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:3260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:3428
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3580
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:5708
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:1468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:4624
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:4176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2328
-
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:1924
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:2924
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:124
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3488
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:2240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5560
-
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:3716
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1980
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4288
-
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5412
-
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:4180
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:4968
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:3360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:5100
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:5680
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:5584
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:2312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:3824
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:5648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1672
-
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:1776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5192
-
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:5900
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:1108
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:2640
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4364
-
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:908
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:2032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1136
-
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:4540
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4044
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:3600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4520
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:4996
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:5760
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:2316
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:1468
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:1372
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:828
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:5452
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:5192
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:1472
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:3500
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:1172
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4464
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:3896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1284
-
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:4540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4860
-
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2640
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:3040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:4576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:764
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:2960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:6032
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:5812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:3628
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:3844
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:2852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3564
-
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:4240
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:2288
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:5664
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4452
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:2952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3120
-
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:2172
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:5832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:3488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:4556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:4972
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:4808
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:4580
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5040
-
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:4484
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:6136
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:2076
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:3436
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:2688
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:5944
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:5312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:3284
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:3296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:2316
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:2748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:3860
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:1672
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1696
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:5960
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:3184
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:976
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4056
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:2452
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4276
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:5124
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:3492
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:5072
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:4584
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:5340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:3556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe1⤵PID:5492
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:5448
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:2296
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .1⤵PID:5080
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe .2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:1996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:4948
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:1040
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:1740
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:2508
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:3488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:2648
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .1⤵PID:4580
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe .2⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:5284
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:5716
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:2920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:1296
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:1748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:6016
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:1572
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:1860
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .1⤵PID:3580
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."3⤵PID:2116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:5676
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe1⤵PID:4852
-
C:\Windows\xruifyxnofhchcctgglfi.exexruifyxnofhchcctgglfi.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe1⤵PID:4984
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe2⤵PID:5680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1468
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:5876
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe1⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:4448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4272
-
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:2092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .1⤵PID:3376
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe .2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."3⤵PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exeC:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe1⤵PID:416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exeC:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .1⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exeC:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe1⤵PID:3700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exeC:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe1⤵PID:1152
-
C:\Windows\ibdqmecrrhicgazpbaex.exeibdqmecrrhicgazpbaex.exe2⤵PID:2480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .1⤵PID:3692
-
C:\Windows\kbbmgwsfdrqikcznxu.exekbbmgwsfdrqikcznxu.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."3⤵PID:3964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe1⤵PID:3472
-
C:\Windows\ujhqiwqbxjgwwmht.exeujhqiwqbxjgwwmht.exe2⤵PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1104
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .2⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."3⤵PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe1⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exeC:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .1⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exeC:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .2⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe1⤵PID:2308
-
C:\Windows\vnoavmjxwllehaynywz.exevnoavmjxwllehaynywz.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .1⤵PID:1912
-
C:\Windows\brqatidpmzxopgcpy.exebrqatidpmzxopgcpy.exe .2⤵PID:1572
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD50fa0d89d61fb6a48de9a42838839ecad
SHA19c71eff791c5b52915b92cb59d3317e8577d0ad8
SHA256af471fcc02869ce5c062048732167268b9a82b92d1b3e79b3954e7abacaa7d20
SHA512be6945073b248e315abc7f8277fad5f4d51676b0356f089e624f8031b9889f10a9db66521c820104fd568d96c0cb92a3378deb273de45d852c873e99b0148a63
-
Filesize
280B
MD5b5c22be196fdd402b466256461fbca3f
SHA177946c8802f5a8b3f0aaa209af88367e703827b6
SHA2565fa3a5ebbd7dd1949ce11bed322cbf8332509589715dd5e2e7f879c083313e11
SHA512fcee7e6c58cd13c932f62f56723c10e9bcd295ecbc857f9b346a8629b01b990c6aaa25ed3cec9ad3bb61e330e17cef15cd98214dd97f50f32923e160a84b6c39
-
Filesize
280B
MD57fbd9b6926cd467f0c7396e36aa1987a
SHA1032a48b6d70cfc537e539d01618b34c7b016f673
SHA2561b9f30934fc2613c17a4903cfc82992bee3589a6407c926f0f5c674a72e16d78
SHA5123727bc825c789c91774c221310d71950a46267788b52cc98c3e4e563082d3f8776dbf5284300d73939d646086bdf40c620fe88e2fd8818b39ffda947bb6e424f
-
Filesize
280B
MD5d7f192a835cbe8690a11caa25e656372
SHA10c6950eaead3e5fa0d9ea669164d7fc13405e782
SHA256ad15d2e52384d3e9481d77f84d6b73e1495b87a31379a1300a12879aa72bb173
SHA512d0c40205b9051eade5330abcd31ec1b3dbf418520d6590d0ce3e3c7b58058fa059b0478017f1c9be6d4d34ef9adaaa17592bb13e82648b154ee5df9de8b42a26
-
Filesize
280B
MD54c9f7036cebc18473e3cf04af5fffafa
SHA10e7eb358dab620b358bf85565f66bb2017b4e239
SHA256a050139e8dc193963a630158375442a5b0dca46c42c9db02079bfa5d90d3c922
SHA51277980ece2ff8358f47ebc8dc0ceeb8128a04879ffa5034199248dabacc42c2640b4b1ad60b8dba2eb6f79215dad16e953017d96e230eed993be64caaa1eedad3
-
Filesize
280B
MD5a34b86fe5207c8c471f01bbe8d1f3461
SHA1dfc226a2a24101df3e27b2079fd2541fa7ea7e8f
SHA256b648f0525be8f3098628bac58a13db5a9b7fe433e52626500449a974d7fb134c
SHA51217d5660d5523fe844675f9e17d29879a95d86e236eec55589962b9d1bbf291dd4c64dea1e8f2d364e3efbac5a90f34f862b74ac79545be361744194c315d8c94
-
Filesize
280B
MD55db14073a212e1f89568013b181375fd
SHA16cab57163ad797dea8b4138dcf7fcb2b26cf6462
SHA256a9d0803a8a7682d628d196a9e144c866d53f54274fa771b0d209b2075e5000bb
SHA512876643c42d444cd01d9eec4fc082bdbb3f880219fda5398ffb8e460239d99e9bdbab1c4513478c2630af3dd427996497668b1eea82823a22339e8bf235126c3e
-
Filesize
720KB
MD594fe44c33b3426786e9f80da8fca49cc
SHA1d74811a3a5a9fa17f3c19fcd25601fdc3d2aaf91
SHA256c07020e4dea59e1431387932e218be23478f96804eed9d761190fc72e36fce7d
SHA51295954735f8e8de699cc477d61b82da09dcf601313d1ca04888bbdd0916a547ba9dca9e391783266895f4ceb8bc0098d2e1e5f4191c3389f419f125a4546e594a
-
Filesize
320KB
MD506aedb342d1b1429c6220b98a5d34b44
SHA1fa8a483de5cee3e6c4e12c825f001e84c6359e77
SHA256f8304c8d806a881ff1ebc0c18b162f9e8a1dcd4829682efb92b6d5c12c21cd8b
SHA512d6dc56e6f6f4ee32800b93057ced5da7ee361f1f172985e640f6485554d82aaafa97bddb4add76d13c90967fc8323074ede4ff218525c1612ff9c51c9e6be2ed
-
Filesize
4KB
MD5a60512e18b998a5f4e465a3dc686671d
SHA164f2214f334e35b9e23859703cb262a520fd5dfd
SHA2560743046edae013af23027160a86de4725aeb40fbc358a85f2aa752c15cfbfe6d
SHA5126edcbc8826bba1c7bd25f662228b0b16a74aec0cbb9a21274e2757305ff4187f6d4f20284ac1a0a558c560c91e8b2374b129a548b8e21cb5b9081455bcb10184
-
Filesize
280B
MD503f7a126523640e6f5c9a630368e22e8
SHA1ecff08853e3412d9b977d21e8c0e78df3eb7a88b
SHA256698dd85a0deed6b6f62686899046ef29cd0553f932d857bdd9e4bfb4f531fc24
SHA51228979783ab8e31825734a9b58c9fd07013f2f0bc183bd1f35325f2b597cd8b109df9783ef2b4f4a454258b4377cfb52f0dd1e4167439d7b5510b4635e7d20694
-
Filesize
472KB
MD5c940916a51510ded99612bd93114de0d
SHA1af052d166386189ab6c14e8e49831b6459c42b5f
SHA25623500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
SHA5127981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1