Analysis
-
max time kernel
54s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/04/2025, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe
-
Size
588KB
-
MD5
ce23cbd71cc033cecb1958623ee620c1
-
SHA1
ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00
-
SHA256
270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3
-
SHA512
9a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73
-
SSDEEP
12288:CYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3:CY2w+tOwuMCeEOPp83
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sxrmhekochb.exe -
Pykspa family
-
UAC bypass 3 TTPs 35 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000c00000002ad0d-4.dat family_pykspa behavioral2/files/0x001900000002b10f-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "czmpiespihwafkrhvvsfi.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzihwoyrgbmmnordn.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "avghysezqnacfinbnlg.exe" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uhkdmycpyns = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzzpvefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cjgtw.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjgtw.exe Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjgtw.exe -
Executes dropped EXE 64 IoCs
pid Process 3716 sxrmhekochb.exe 3404 avghysezqnacfinbnlg.exe 1552 czmpiespihwafkrhvvsfi.exe 4904 sxrmhekochb.exe 5080 czmpiespihwafkrhvvsfi.exe 4996 gzihwoyrgbmmnordn.exe 2896 zrzxlcldrlvuuuwh.exe 2316 sxrmhekochb.exe 4024 zrzxlcldrlvuuuwh.exe 4428 sxrmhekochb.exe 5268 avghysezqnacfinbnlg.exe 3652 czmpiespihwafkrhvvsfi.exe 2992 sxrmhekochb.exe 2016 cjgtw.exe 4764 cjgtw.exe 1208 gzihwoyrgbmmnordn.exe 2096 gzihwoyrgbmmnordn.exe 4504 pjttjcnhxtfgikobmj.exe 5236 czmpiespihwafkrhvvsfi.exe 1496 sxrmhekochb.exe 652 sxrmhekochb.exe 1484 czmpiespihwafkrhvvsfi.exe 5432 avghysezqnacfinbnlg.exe 3564 czmpiespihwafkrhvvsfi.exe 2028 czmpiespihwafkrhvvsfi.exe 4160 avghysezqnacfinbnlg.exe 3760 sxrmhekochb.exe 3528 zrzxlcldrlvuuuwh.exe 5568 czmpiespihwafkrhvvsfi.exe 5724 sxrmhekochb.exe 5632 avghysezqnacfinbnlg.exe 5188 sxrmhekochb.exe 1892 sxrmhekochb.exe 3076 pjttjcnhxtfgikobmj.exe 4980 czmpiespihwafkrhvvsfi.exe 2388 gzihwoyrgbmmnordn.exe 2360 njvxpkxtljxaeiodqplx.exe 5296 sxrmhekochb.exe 452 gzihwoyrgbmmnordn.exe 1692 sxrmhekochb.exe 3404 gzihwoyrgbmmnordn.exe 5000 sxrmhekochb.exe 4408 zrzxlcldrlvuuuwh.exe 5244 zrzxlcldrlvuuuwh.exe 460 avghysezqnacfinbnlg.exe 5020 sxrmhekochb.exe 4940 zrzxlcldrlvuuuwh.exe 3200 sxrmhekochb.exe 6088 czmpiespihwafkrhvvsfi.exe 4860 avghysezqnacfinbnlg.exe 2312 sxrmhekochb.exe 6100 zrzxlcldrlvuuuwh.exe 5092 pjttjcnhxtfgikobmj.exe 1100 sxrmhekochb.exe 5272 njvxpkxtljxaeiodqplx.exe 2928 gzihwoyrgbmmnordn.exe 1032 njvxpkxtljxaeiodqplx.exe 5796 njvxpkxtljxaeiodqplx.exe 2012 gzihwoyrgbmmnordn.exe 4548 njvxpkxtljxaeiodqplx.exe 3576 sxrmhekochb.exe 3564 czmpiespihwafkrhvvsfi.exe 1172 gzihwoyrgbmmnordn.exe 1632 pjttjcnhxtfgikobmj.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager cjgtw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys cjgtw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc cjgtw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power cjgtw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys cjgtw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc cjgtw.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "pjttjcnhxtfgikobmj.exe ." cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "njvxpkxtljxaeiodqplx.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe ." cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "njvxpkxtljxaeiodqplx.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "njvxpkxtljxaeiodqplx.exe ." cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "czmpiespihwafkrhvvsfi.exe ." cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "czmpiespihwafkrhvvsfi.exe" cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "pjttjcnhxtfgikobmj.exe ." cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "czmpiespihwafkrhvvsfi.exe ." cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "gzihwoyrgbmmnordn.exe" cjgtw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "zrzxlcldrlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzihwoyrgbmmnordn.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "pjttjcnhxtfgikobmj.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "njvxpkxtljxaeiodqplx.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzihwoyrgbmmnordn.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "czmpiespihwafkrhvvsfi.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "avghysezqnacfinbnlg.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "avghysezqnacfinbnlg.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qfkfqekzkbieb = "gzihwoyrgbmmnordn.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njvxpkxtljxaeiodqplx.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "czmpiespihwafkrhvvsfi.exe" cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zlnfnybnvj = "njvxpkxtljxaeiodqplx.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "gzihwoyrgbmmnordn.exe" cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czmpiespihwafkrhvvsfi.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfjdnaftdtzu = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "avghysezqnacfinbnlg.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "zrzxlcldrlvuuuwh.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "gzihwoyrgbmmnordn.exe" sxrmhekochb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjttjcnhxtfgikobmj.exe" sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rhnjvkrhtltqom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe ." sxrmhekochb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulspcsarexgedcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrzxlcldrlvuuuwh.exe" cjgtw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\grsjqacnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avghysezqnacfinbnlg.exe" sxrmhekochb.exe -
Checks whether UAC is enabled 1 TTPs 52 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cjgtw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sxrmhekochb.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cjgtw.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 www.showmyipaddress.com 5 whatismyip.everdot.org 5 whatismyipaddress.com 8 www.whatismyip.ca 8 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe cjgtw.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe cjgtw.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe cjgtw.exe File opened for modification C:\Windows\SysWOW64\ehajikehglgqbmzvpvyrazb.yxc cjgtw.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\SysWOW64\njvxpkxtljxaeiodqplx.exe cjgtw.exe File opened for modification C:\Windows\SysWOW64\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\rfjdnaftdtzuqmkrwnbfzjwbpzpvqmigns.xbv cjgtw.exe File created C:\Program Files (x86)\rfjdnaftdtzuqmkrwnbfzjwbpzpvqmigns.xbv cjgtw.exe File opened for modification C:\Program Files (x86)\ehajikehglgqbmzvpvyrazb.yxc cjgtw.exe File created C:\Program Files (x86)\ehajikehglgqbmzvpvyrazb.yxc cjgtw.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe cjgtw.exe File created C:\Windows\ehajikehglgqbmzvpvyrazb.yxc cjgtw.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe cjgtw.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe cjgtw.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\rfjdnaftdtzuqmkrwnbfzjwbpzpvqmigns.xbv cjgtw.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\trfjdapnhhxciowncdbptn.exe sxrmhekochb.exe File opened for modification C:\Windows\njvxpkxtljxaeiodqplx.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe cjgtw.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe sxrmhekochb.exe File opened for modification C:\Windows\czmpiespihwafkrhvvsfi.exe sxrmhekochb.exe File opened for modification C:\Windows\zrzxlcldrlvuuuwh.exe cjgtw.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\avghysezqnacfinbnlg.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe File opened for modification C:\Windows\pjttjcnhxtfgikobmj.exe sxrmhekochb.exe File opened for modification C:\Windows\gzihwoyrgbmmnordn.exe sxrmhekochb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sxrmhekochb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjttjcnhxtfgikobmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gzihwoyrgbmmnordn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrzxlcldrlvuuuwh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njvxpkxtljxaeiodqplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmpiespihwafkrhvvsfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avghysezqnacfinbnlg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 4764 cjgtw.exe 4764 cjgtw.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 4764 cjgtw.exe 4764 cjgtw.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4764 cjgtw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 3716 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 78 PID 2264 wrote to memory of 3716 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 78 PID 2264 wrote to memory of 3716 2264 JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe 78 PID 4792 wrote to memory of 3404 4792 cmd.exe 81 PID 4792 wrote to memory of 3404 4792 cmd.exe 81 PID 4792 wrote to memory of 3404 4792 cmd.exe 81 PID 2036 wrote to memory of 1552 2036 cmd.exe 84 PID 2036 wrote to memory of 1552 2036 cmd.exe 84 PID 2036 wrote to memory of 1552 2036 cmd.exe 84 PID 1552 wrote to memory of 4904 1552 czmpiespihwafkrhvvsfi.exe 86 PID 1552 wrote to memory of 4904 1552 czmpiespihwafkrhvvsfi.exe 86 PID 1552 wrote to memory of 4904 1552 czmpiespihwafkrhvvsfi.exe 86 PID 4880 wrote to memory of 5080 4880 cmd.exe 88 PID 4880 wrote to memory of 5080 4880 cmd.exe 88 PID 4880 wrote to memory of 5080 4880 cmd.exe 88 PID 5048 wrote to memory of 4996 5048 cmd.exe 93 PID 5048 wrote to memory of 4996 5048 cmd.exe 93 PID 5048 wrote to memory of 4996 5048 cmd.exe 93 PID 5300 wrote to memory of 2896 5300 cmd.exe 94 PID 5300 wrote to memory of 2896 5300 cmd.exe 94 PID 5300 wrote to memory of 2896 5300 cmd.exe 94 PID 4996 wrote to memory of 2316 4996 gzihwoyrgbmmnordn.exe 97 PID 4996 wrote to memory of 2316 4996 gzihwoyrgbmmnordn.exe 97 PID 4996 wrote to memory of 2316 4996 gzihwoyrgbmmnordn.exe 97 PID 6088 wrote to memory of 4024 6088 cmd.exe 98 PID 6088 wrote to memory of 4024 6088 cmd.exe 98 PID 6088 wrote to memory of 4024 6088 cmd.exe 98 PID 4024 wrote to memory of 4428 4024 zrzxlcldrlvuuuwh.exe 99 PID 4024 wrote to memory of 4428 4024 zrzxlcldrlvuuuwh.exe 99 PID 4024 wrote to memory of 4428 4024 zrzxlcldrlvuuuwh.exe 99 PID 872 wrote to memory of 5268 872 cmd.exe 102 PID 872 wrote to memory of 5268 872 cmd.exe 102 PID 872 wrote to memory of 5268 872 cmd.exe 102 PID 2344 wrote to memory of 3652 2344 cmd.exe 105 PID 2344 wrote to memory of 3652 2344 cmd.exe 105 PID 2344 wrote to memory of 3652 2344 cmd.exe 105 PID 3652 wrote to memory of 2992 3652 czmpiespihwafkrhvvsfi.exe 106 PID 3652 wrote to memory of 2992 3652 czmpiespihwafkrhvvsfi.exe 106 PID 3652 wrote to memory of 2992 3652 czmpiespihwafkrhvvsfi.exe 106 PID 3716 wrote to memory of 4764 3716 sxrmhekochb.exe 107 PID 3716 wrote to memory of 4764 3716 sxrmhekochb.exe 107 PID 3716 wrote to memory of 4764 3716 sxrmhekochb.exe 107 PID 3716 wrote to memory of 2016 3716 sxrmhekochb.exe 108 PID 3716 wrote to memory of 2016 3716 sxrmhekochb.exe 108 PID 3716 wrote to memory of 2016 3716 sxrmhekochb.exe 108 PID 484 wrote to memory of 1208 484 cmd.exe 111 PID 484 wrote to memory of 1208 484 cmd.exe 111 PID 484 wrote to memory of 1208 484 cmd.exe 111 PID 3128 wrote to memory of 2096 3128 cmd.exe 114 PID 3128 wrote to memory of 2096 3128 cmd.exe 114 PID 3128 wrote to memory of 2096 3128 cmd.exe 114 PID 3888 wrote to memory of 4504 3888 cmd.exe 117 PID 3888 wrote to memory of 4504 3888 cmd.exe 117 PID 3888 wrote to memory of 4504 3888 cmd.exe 117 PID 1468 wrote to memory of 5236 1468 cmd.exe 120 PID 1468 wrote to memory of 5236 1468 cmd.exe 120 PID 1468 wrote to memory of 5236 1468 cmd.exe 120 PID 4504 wrote to memory of 1496 4504 pjttjcnhxtfgikobmj.exe 123 PID 4504 wrote to memory of 1496 4504 pjttjcnhxtfgikobmj.exe 123 PID 4504 wrote to memory of 1496 4504 pjttjcnhxtfgikobmj.exe 123 PID 5236 wrote to memory of 652 5236 czmpiespihwafkrhvvsfi.exe 124 PID 5236 wrote to memory of 652 5236 czmpiespihwafkrhvvsfi.exe 124 PID 5236 wrote to memory of 652 5236 czmpiespihwafkrhvvsfi.exe 124 PID 5804 wrote to memory of 1484 5804 cmd.exe 129 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cjgtw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cjgtw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sxrmhekochb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce23cbd71cc033cecb1958623ee620c1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_ce23cbd71cc033cecb1958623ee620c1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\cjgtw.exe"C:\Users\Admin\AppData\Local\Temp\cjgtw.exe" "-C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\cjgtw.exe"C:\Users\Admin\AppData\Local\Temp\cjgtw.exe" "-C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵
- Executes dropped EXE
PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵
- Executes dropped EXE
PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵
- Executes dropped EXE
PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵
- Executes dropped EXE
PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵
- Executes dropped EXE
PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:4988
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5752
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵
- Executes dropped EXE
PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵
- Executes dropped EXE
PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:1180
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵
- Executes dropped EXE
PID:5632 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵
- Executes dropped EXE
PID:1892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- Executes dropped EXE
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Executes dropped EXE
PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵
- Executes dropped EXE
PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:5828
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:5216
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵
- Executes dropped EXE
PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:2392
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5040
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- Executes dropped EXE
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵
- Executes dropped EXE
PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵
- Executes dropped EXE
PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵
- Executes dropped EXE
PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵
- Executes dropped EXE
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:3160
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵
- Executes dropped EXE
PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:5552
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- Executes dropped EXE
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵
- Executes dropped EXE
PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:3520
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵
- Executes dropped EXE
PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:3036
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:4396
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵
- Executes dropped EXE
PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:3752
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵
- Executes dropped EXE
PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵
- Executes dropped EXE
PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:3128
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- Executes dropped EXE
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:3868
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- Executes dropped EXE
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:764
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:5712
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:1340
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:5440
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5568
-
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:3040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:6028
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4440
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:6132
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:2908
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:5268
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4972
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:5932
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4820
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2312
-
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:1020
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3128
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:5144
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5708
-
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:1540
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:3196
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:2092
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5868
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:2404
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2636
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:4892
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:1744
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:1188
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:5316
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:3348
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:2516
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:2892
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:1820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1376
-
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:5500
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5144
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:2780
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3744
-
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:1852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:4988
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:480
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:2084
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:1528
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:3064
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:5780
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:3184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:4020
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3336
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2432
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5272
-
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5316
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:3576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:3752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:3940
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4088
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:1524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:4668
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5568
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:4744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:2800
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3168
-
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:4852
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:5336
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:4888
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:4408
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:5244
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2208
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:1180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:3576
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:1480
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3176
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2312
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:5172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:1092
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:1340
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:2724
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:3584
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4284
-
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:1304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:1468
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:2004
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:4792
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:3140
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:5196
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:4536
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:4608
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:6128
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:5124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:5640
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:5204
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:2432
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:1524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:2924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:2644
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5568
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:1372
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5748
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:4868
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:5004
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:5020
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:3896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5444
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:6052
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5824
-
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:5592
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:1168
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:3084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5300
-
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:3836
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:3520
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:4640
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:1696
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:2476
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:1080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:740
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:5404
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:2808
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:1552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:4704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:4896
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:5996
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:5624
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5352
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3840
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:5292
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:1540
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:2912
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:2112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2588
-
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:764
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:2924
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4276
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:3788
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:1660
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:2232
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:2092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:1592
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:5868
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:5412
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:3188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3184
-
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5000
-
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:4308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:2324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:4432
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:1524
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:3068
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:5612
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:2968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:5400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:1612
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:3340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1904
-
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:3560
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4620
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:1304
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:3880
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:6000
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:3076
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:3944
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:2404
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:5508
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:4820
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:1008
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:4924
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe1⤵PID:2308
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:4844
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:3852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:3752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:3788
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:3372
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:1340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2320
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:1120
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:5556
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:1372
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:5668
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:1400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5904
-
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:1788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:5572
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:2720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:720
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:4404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3564
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:5576
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe2⤵PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:1020
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:5452
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe1⤵PID:5612
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe2⤵PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:2308
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:3712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:1172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe .2⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\avghysezqnacfinbnlg.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:2972
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:904
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:3888
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:5084
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:6060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2876
-
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe .1⤵PID:768
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe .2⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\czmpiespihwafkrhvvsfi.exe*."3⤵PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:2612
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:3400
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exeC:\Users\Admin\AppData\Local\Temp\avghysezqnacfinbnlg.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:3840
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:2084
-
C:\Windows\njvxpkxtljxaeiodqplx.exenjvxpkxtljxaeiodqplx.exe .2⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\njvxpkxtljxaeiodqplx.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:1688
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe .1⤵PID:2252
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\pjttjcnhxtfgikobmj.exe*."3⤵PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe .2⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\zrzxlcldrlvuuuwh.exe*."3⤵PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:3084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:4076
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:4844
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\avghysezqnacfinbnlg.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe1⤵PID:1748
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrzxlcldrlvuuuwh.exe .1⤵PID:5856
-
C:\Windows\zrzxlcldrlvuuuwh.exezrzxlcldrlvuuuwh.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\zrzxlcldrlvuuuwh.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exeC:\Users\Admin\AppData\Local\Temp\zrzxlcldrlvuuuwh.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\czmpiespihwafkrhvvsfi.exe*."3⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exeC:\Users\Admin\AppData\Local\Temp\gzihwoyrgbmmnordn.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\gzihwoyrgbmmnordn.exe*."3⤵PID:976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:5564
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:1120
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pjttjcnhxtfgikobmj.exe1⤵PID:6028
-
C:\Windows\pjttjcnhxtfgikobmj.exepjttjcnhxtfgikobmj.exe2⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gzihwoyrgbmmnordn.exe .1⤵PID:2088
-
C:\Windows\gzihwoyrgbmmnordn.exegzihwoyrgbmmnordn.exe .2⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\windows\gzihwoyrgbmmnordn.exe*."3⤵PID:5624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exeC:\Users\Admin\AppData\Local\Temp\czmpiespihwafkrhvvsfi.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe .2⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\pjttjcnhxtfgikobmj.exe*."3⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exeC:\Users\Admin\AppData\Local\Temp\pjttjcnhxtfgikobmj.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exeC:\Users\Admin\AppData\Local\Temp\njvxpkxtljxaeiodqplx.exe .2⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe"C:\Users\Admin\AppData\Local\Temp\sxrmhekochb.exe" "c:\users\admin\appdata\local\temp\njvxpkxtljxaeiodqplx.exe*."3⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe1⤵PID:1912
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe2⤵PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czmpiespihwafkrhvvsfi.exe1⤵PID:1180
-
C:\Windows\czmpiespihwafkrhvvsfi.execzmpiespihwafkrhvvsfi.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c avghysezqnacfinbnlg.exe .1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5088
-
-
C:\Windows\avghysezqnacfinbnlg.exeavghysezqnacfinbnlg.exe .2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c njvxpkxtljxaeiodqplx.exe .1⤵PID:4940
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5de1798206ee0d521013e6bc7cd18c94a
SHA1055d4c639f3dc3bb78c7271c8ec6b5dee87f8b43
SHA25637bda3c9d69e6d0874ad156d4cd09a9b0a3a56531711e66049a1540aff5051a0
SHA512d55af13be9ee12701748c49cef1c622cf40813e3ad5b118f519712e478dc413a22d1ba8228544acea5d7c2216722865c591a9f447d49feac018ab118476f2843
-
Filesize
280B
MD570a4a4ca5003fe431cb9c6e04cb8d1a0
SHA1f60eafa8034509c683c9afedad105d196f2fd159
SHA256847c3d2e65dc5cdf7a7fc521ce2a04297c249a29a1168f491b2b75340e8a0c98
SHA512bc115d7bc8720e33d39e8390c17178fee637eb91b1e20a82202698995402b75b514649dae8b5856025cc020eedd07f0e881e3dbb0707be32bfe4f531ef66bbdb
-
Filesize
280B
MD58129fc03435465a517e96bba669985c9
SHA10e833de0465c8fb802a7d7173c6eb5e11218fede
SHA25612217bb4f9851d27c4cf943e1742719f1bf8bfa93f6a00decb29a20caef9b0bd
SHA51227a84a712952f75e4cd444df654c914ee02a3085347f4df0905c1d5ad63c91864b2dc324b86e162c5be5acda40a17c910e86c661c96a7a3970863364764089d3
-
Filesize
280B
MD5accea39c7af13a3cfe38468e500032fb
SHA18ef70f1ed4b5f60e614309b0cc47604b2fab7b8e
SHA2567cd7e79d2806f87dc80a694fbc4c1fdad31f2f85f8ad93e726f38a913917d2a5
SHA512e317a4e337f431cdedbb6fdf8bcb6d8cb127ea2e2bca93f0c0589d9394146eb4337ac26bf0326e3a18b7a995da7a2f713fcfe8de3019d9f277255f7241d38415
-
Filesize
280B
MD546c7839e83713ca3adc4523990eb9a63
SHA19f28aff0e65dc9e9e03b72af4a0dd2944016b113
SHA256fb424669e016850774671fa706c35c0d425da98d1f9360388aab43050b8ba31f
SHA5125d71420d8ec07578e2288a794092a9b3e3348c11c9961bfe051198a7277aaf5a3d1fbf39652b5d5faac668c6ffe7d810d3ff7accaf1d1966c958171793ccc140
-
Filesize
280B
MD5847721a93f8f448c657cddfaa0ac7ac5
SHA1644100d1ac98b61271efd150c54bed06886b7e08
SHA256d40d88c5e44f6330c0aff039a46aa500dc79cc573138e23a861f1808e1e71abf
SHA51279ee2ab25fc514381b01533b3ce917608cea8d419015a0720f17a71fce58b8c8e55dd8d5c252ff31f4c40ceaae54dd1db7712d1336bb57b13a46c65aa4afac79
-
Filesize
720KB
MD55434734dfe6c4bc148621c5e88350d67
SHA192e4a6a2bba9170cf4af598ffb465c95c866e691
SHA256609ce70a7d493b2dedc2e7782ba021b54ddca146f5e8cdee6b4335bc06268f48
SHA512f546c8975aa6489bd4f0f03172fefa5c008726d0e19553e331fdd0d6dc38b7f8fd93ad5f7c3219b8406bc43e941c35f342b7251a55ab035a97ad967379b6b080
-
Filesize
320KB
MD52512476e7a1ded0f5cb213d86d6dd279
SHA11e9a59922c89ba5816895435236ae24b2d7d2708
SHA256a2d1dc560b9a118a86d1cbb9983d895e23b42b0cff8e40c4c05c63ebd82b7192
SHA512f5500ea62ec18f03d6909576c58e5ddefcacfd46624410f8294c17bfa788256705b7700e9dd7f75c8a981a51a269f9de7d51212b664465cce9a7da370bf4090e
-
Filesize
280B
MD5e529d6feb27c6508a725b288c3db6e79
SHA10b6d2d8e142e25d4f95502c7ea34e350c5533935
SHA256654ec5f9059bc4d62f7d929bf858513d9da10ffe56ec560cc96771929c1528a5
SHA512fd95014c71b16d25c3eb90344236d93f56fc9b9dac6c59959b8ecc40bf1c5f921815a7bef4b83deb1676bcc17d44c41edaf8fc6ccf1c0c6740e3c02cb660c33c
-
Filesize
4KB
MD5b67c6177af40750f1010e272be76dd62
SHA1ff9e67f09139c6fb2a33d99bdbc774a965eeb5c6
SHA256cd508d555c649316843e5563fa304fb9b8c699088f21b3149a0700b10f4d91f5
SHA512c1848044f93b47d45a6126d727facad1f753c96c97ce579680fc8da0a9f2ba1fe8ed73d86617c1d8022e81f0f452442ade4ecd0664a84919848329bf84cdd42f
-
Filesize
588KB
MD5ce23cbd71cc033cecb1958623ee620c1
SHA1ee0c07c78a5eeb4216a4e178e871f04ef0ba9b00
SHA256270dce235ce96e14c6472a545008e2e80c489f41b21f8ce9db95a60dd18f99c3
SHA5129a26d99303a7e07e4b5be581d4621d8af9705106ef6f26ab5326911c0d0aa065658951c5ca5c3b7dc1c4603c65a5ff0b8dbed4dbbc43b7bcd3d93dafa18b6a73