d819e4837bee95362e33e65cf4723c28cf7d51c69ff506c4a1b873473ada9023

Analysis

max time kernel
24s
max time network
26s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 15:18

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

おばけ.exe
Size

4.4MB
MD5

5a714f6f7296fd34436b5b524d34d7e5
SHA1

cff1ef4661191d86d7ff52bdaca196c0f8c27f7d
SHA256

d819e4837bee95362e33e65cf4723c28cf7d51c69ff506c4a1b873473ada9023
SHA512

46307df12ab08e7c244e7760d895155257d6f065e2f62afc1afd7b4bd4a666bbdb1f5a82152c540fcf902315513e14859c576b382c760d6fb2babe40dd6284ce
SSDEEP

49152:NOw3th9Yp3O7mXa7bpltN/kwbeHWth9Yp3O7mXa7bpltN:N1pYp3Gmq7AHGYp3Gmq7

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe"	おばけ.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	おばけ.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	おばけ.exe

Disables Task Manager via registry modification
evasion

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	おばけ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	おばけ.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	おばけ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	おばけ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Microsoft\\User Account Pictures\\background.jpg"	おばけ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cewhj198naw.txt	おばけ.exe
File created	C:\Windows\おばけ.exe	おばけ.exe
File opened for modification	C:\Windows\おばけ.exe	おばけ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\AutoColorization = "1"	おばけ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Mouse\SwapMouseButtons = "1"	おばけ.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\ProgramData\\Microsoft\\User Account Pictures\\kill.ico"	おばけ.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2308	おばけ.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	おばけ.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeShutdownPrivilege	1804	shutdown.exe
Token: SeRemoteShutdownPrivilege	1804	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2460	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4144	2308	おばけ.exe	81
PID 2308 wrote to memory of 4144	2308	おばけ.exe	81
PID 2308 wrote to memory of 1380	2308	おばけ.exe	83
PID 2308 wrote to memory of 1380	2308	おばけ.exe	83
PID 2308 wrote to memory of 1900	2308	おばけ.exe	85
PID 2308 wrote to memory of 1900	2308	おばけ.exe	85
PID 4144 wrote to memory of 2444	4144	cmd.exe	183
PID 4144 wrote to memory of 2444	4144	cmd.exe	183
PID 1380 wrote to memory of 1288	1380	cmd.exe	237
PID 1380 wrote to memory of 1288	1380	cmd.exe	237
PID 2308 wrote to memory of 2092	2308	おばけ.exe	89
PID 2308 wrote to memory of 2092	2308	おばけ.exe	89
PID 1288 wrote to memory of 2532	1288	net.exe	161
PID 1288 wrote to memory of 2532	1288	net.exe	161
PID 2308 wrote to memory of 3440	2308	おばけ.exe	92
PID 2308 wrote to memory of 3440	2308	おばけ.exe	92
PID 1900 wrote to memory of 4292	1900	cmd.exe	95
PID 1900 wrote to memory of 4292	1900	cmd.exe	95
PID 4292 wrote to memory of 1092	4292	net.exe	96
PID 4292 wrote to memory of 1092	4292	net.exe	96
PID 2092 wrote to memory of 4252	2092	cmd.exe	382
PID 2092 wrote to memory of 4252	2092	cmd.exe	382
PID 4252 wrote to memory of 2452	4252	net.exe	381
PID 4252 wrote to memory of 2452	4252	net.exe	381
PID 2308 wrote to memory of 3728	2308	おばけ.exe	99
PID 2308 wrote to memory of 3728	2308	おばけ.exe	99
PID 2308 wrote to memory of 1908	2308	おばけ.exe	101
PID 2308 wrote to memory of 1908	2308	おばけ.exe	101
PID 3440 wrote to memory of 4224	3440	cmd.exe	303
PID 3440 wrote to memory of 4224	3440	cmd.exe	303
PID 4224 wrote to memory of 1076	4224	net.exe	460
PID 4224 wrote to memory of 1076	4224	net.exe	460
PID 2308 wrote to memory of 1688	2308	おばけ.exe	105
PID 2308 wrote to memory of 1688	2308	おばけ.exe	105
PID 3728 wrote to memory of 1148	3728	cmd.exe	477
PID 3728 wrote to memory of 1148	3728	cmd.exe	477
PID 1148 wrote to memory of 3088	1148	net.exe	173
PID 1148 wrote to memory of 3088	1148	net.exe	173
PID 2308 wrote to memory of 4148	2308	おばけ.exe	109
PID 2308 wrote to memory of 4148	2308	おばけ.exe	109
PID 1908 wrote to memory of 3300	1908	cmd.exe	435
PID 1908 wrote to memory of 3300	1908	cmd.exe	435
PID 3300 wrote to memory of 724	3300	net.exe	355
PID 3300 wrote to memory of 724	3300	net.exe	355
PID 1688 wrote to memory of 4548	1688	cmd.exe	357
PID 1688 wrote to memory of 4548	1688	cmd.exe	357
PID 4548 wrote to memory of 1012	4548	net.exe	179
PID 4548 wrote to memory of 1012	4548	net.exe	179
PID 2308 wrote to memory of 780	2308	おばけ.exe	115
PID 2308 wrote to memory of 780	2308	おばけ.exe	115
PID 4148 wrote to memory of 4860	4148	cmd.exe	404
PID 4148 wrote to memory of 4860	4148	cmd.exe	404
PID 2308 wrote to memory of 2800	2308	おばけ.exe	118
PID 2308 wrote to memory of 2800	2308	おばけ.exe	118
PID 4860 wrote to memory of 4932	4860	net.exe	307
PID 4860 wrote to memory of 4932	4860	net.exe	307
PID 2308 wrote to memory of 3052	2308	おばけ.exe	121
PID 2308 wrote to memory of 3052	2308	おばけ.exe	121
PID 780 wrote to memory of 1888	780	cmd.exe	123
PID 780 wrote to memory of 1888	780	cmd.exe	123
PID 1888 wrote to memory of 1028	1888	net.exe	367
PID 1888 wrote to memory of 1028	1888	net.exe	367
PID 2308 wrote to memory of 1020	2308	おばけ.exe	125
PID 2308 wrote to memory of 1020	2308	おばけ.exe	125

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	おばけ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	おばけ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	おばけ.exe

C:\Users\Admin\AppData\Local\Temp\おばけ.exe
"C:\Users\Admin\AppData\Local\Temp\おばけ.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k wmic useraccount where name='%username%' rename おばけ && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename おばけ
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user よけりわゅょしおでおくゅやでよけりわゅょしおでおくゅやで /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\net.exe
    net user よけりわゅょしおでおくゅやでよけりわゅょしおでおくゅやで /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user よけりわゅょしおでおくゅやでよけりわゅょしおでおくゅやで /add
      4⤵
      PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ほだわゅなょもべりふぐくぼよほだわゅなょもべりふぐくぼよ /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\net.exe
    net user ほだわゅなょもべりふぐくぼよほだわゅなょもべりふぐくぼよ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ほだわゅなょもべりふぐくぼよほだわゅなょもべりふぐくぼよ /add
      4⤵
      PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user むきづぺばこょゃこねよけへまむきづぺばこょゃこねよけへま /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\net.exe
    net user むきづぺばこょゃこねよけへまむきづぺばこょゃこねよけへま /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user むきづぺばこょゃこねよけへまむきづぺばこょゃこねよけへま /add
      4⤵
      PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user づのょだぶせもやょゆぢぼづるづのょだぶせもやょゆぢぼづる /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\net.exe
    net user づのょだぶせもやょゆぢぼづるづのょだぶせもやょゆぢぼづる /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user づのょだぶせもやょゆぢぼづるづのょだぶせもやょゆぢぼづる /add
      4⤵
      PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user けわそゅびみせがじねはきにぼけわそゅびみせがじねはきにぼ /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\net.exe
    net user けわそゅびみせがじねはきにぼけわそゅびみせがじねはきにぼ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user けわそゅびみせがじねはきにぼけわそゅびみせがじねはきにぼ /add
      4⤵
      PID:3088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょゅてのけゆやくむんぱはじわょゅてのけゆやくむんぱはじわ /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\net.exe
    net user ょゅてのけゆやくむんぱはじわょゅてのけゆやくむんぱはじわ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょゅてのけゆやくむんぱはじわょゅてのけゆやくむんぱはじわ /add
      4⤵
      PID:724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょれめきゃだおたうろぞちたゆょれめきゃだおたうろぞちたゆ /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\net.exe
    net user ょれめきゃだおたうろぞちたゆょれめきゃだおたうろぞちたゆ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょれめきゃだおたうろぞちたゆょれめきゃだおたうろぞちたゆ /add
      4⤵
      PID:1012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぎにてさくぶえゃょゃてゅんゅぎにてさくぶえゃょゃてゅんゅ /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\net.exe
    net user ぎにてさくぶえゃょゃてゅんゅぎにてさくぶえゃょゃてゅんゅ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぎにてさくぶえゃょゃてゅんゅぎにてさくぶえゃょゃてゅんゅ /add
      4⤵
      PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user りぷぬずごぷはめばけでおゅでりぷぬずごぷはめばけでおゅで /add && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\system32\net.exe
    net user りぷぬずごぷはめばけでおゅでりぷぬずごぷはめばけでおゅで /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user りぷぬずごぷはめばけでおゅでりぷぬずごぷはめばけでおゅで /add
      4⤵
      PID:1028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user そぢょとゃゅながふゃきゃらてそぢょとゃゅながふゃきゃらて /add && exit
  2⤵
  PID:2800
- - C:\Windows\system32\net.exe
    net user そぢょとゃゅながふゃきゃらてそぢょとゃゅながふゃきゃらて /add
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user そぢょとゃゅながふゃきゃらてそぢょとゃゅながふゃきゃらて /add
      4⤵
      PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ずょけろゃおばだゅどょもいわずょけろゃおばだゅどょもいわ /add && exit
  2⤵
  PID:3052
- - C:\Windows\system32\net.exe
    net user ずょけろゃおばだゅどょもいわずょけろゃおばだゅどょもいわ /add
    3⤵
    PID:1508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ずょけろゃおばだゅどょもいわずょけろゃおばだゅどょもいわ /add
      4⤵
      PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user はちをはちいみばゃれみむいけはちをはちいみばゃれみむいけ /add && exit
  2⤵
  PID:1020
- - C:\Windows\system32\net.exe
    net user はちをはちいみばゃれみむいけはちをはちいみばゃれみむいけ /add
    3⤵
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user はちをはちいみばゃれみむいけはちをはちいみばゃれみむいけ /add
      4⤵
      PID:896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょゅまへらけよなゃょゃうみじょゅまへらけよなゃょゃうみじ /add && exit
  2⤵
  PID:1684
- - C:\Windows\system32\net.exe
    net user ょゅまへらけよなゃょゃうみじょゅまへらけよなゃょゃうみじ /add
    3⤵
    PID:1500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょゅまへらけよなゃょゃうみじょゅまへらけよなゃょゃうみじ /add
      4⤵
      PID:4084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょをんさたふけへるぺょょゃがょをんさたふけへるぺょょゃが /add && exit
  2⤵
  PID:4512
- - C:\Windows\system32\net.exe
    net user ょをんさたふけへるぺょょゃがょをんさたふけへるぺょょゃが /add
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょをんさたふけへるぺょょゃがょをんさたふけへるぺょょゃが /add
      4⤵
      PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぞょゅゃでのむめゆごるゅゃしぞょゅゃでのむめゆごるゅゃし /add && exit
  2⤵
  PID:2088
- - C:\Windows\system32\net.exe
    net user ぞょゅゃでのむめゆごるゅゃしぞょゅゃでのむめゆごるゅゃし /add
    3⤵
    PID:4996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぞょゅゃでのむめゆごるゅゃしぞょゅゃでのむめゆごるゅゃし /add
      4⤵
      PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user しびぱおゅみらゅてょえどはだしびぱおゅみらゅてょえどはだ /add && exit
  2⤵
  PID:4740
- - C:\Windows\system32\net.exe
    net user しびぱおゅみらゅてょえどはだしびぱおゅみらゅてょえどはだ /add
    3⤵
    PID:4108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user しびぱおゅみらゅてょえどはだしびぱおゅみらゅてょえどはだ /add
      4⤵
      PID:4532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user まゃもぢゃるふがうふゃょぞぷまゃもぢゃるふがうふゃょぞぷ /add && exit
  2⤵
  PID:3104
- - C:\Windows\system32\net.exe
    net user まゃもぢゃるふがうふゃょぞぷまゃもぢゃるふがうふゃょぞぷ /add
    3⤵
    PID:4596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user まゃもぢゃるふがうふゃょぞぷまゃもぢゃるふがうふゃょぞぷ /add
      4⤵
      PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅざとどおぎめかょでげげゃそゅざとどおぎめかょでげげゃそ /add && exit
  2⤵
  PID:2924
- - C:\Windows\system32\net.exe
    net user ゅざとどおぎめかょでげげゃそゅざとどおぎめかょでげげゃそ /add
    3⤵
    PID:2532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅざとどおぎめかょでげげゃそゅざとどおぎめかょでげげゃそ /add
      4⤵
      PID:4216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user れまかべはぜりばべょすとてでれまかべはぜりばべょすとてで /add && exit
  2⤵
  PID:652
- - C:\Windows\system32\net.exe
    net user れまかべはぜりばべょすとてでれまかべはぜりばべょすとてで /add
    3⤵
    PID:1924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user れまかべはぜりばべょすとてでれまかべはぜりばべょすとてで /add
      4⤵
      PID:3852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user どるぽひはぶへつぐゆおりぐゃどるぽひはぶへつぐゆおりぐゃ /add && exit
  2⤵
  PID:4100
- - C:\Windows\system32\net.exe
    net user どるぽひはぶへつぐゆおりぐゃどるぽひはぶへつぐゆおりぐゃ /add
    3⤵
    PID:2920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user どるぽひはぶへつぐゆおりぐゃどるぽひはぶへつぐゆおりぐゃ /add
      4⤵
      PID:1464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ちとだほぎゃもゃほぷづこょてちとだほぎゃもゃほぷづこょて /add && exit
  2⤵
  PID:2760
- - C:\Windows\system32\net.exe
    net user ちとだほぎゃもゃほぷづこょてちとだほぎゃもゃほぷづこょて /add
    3⤵
    PID:2456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ちとだほぎゃもゃほぷづこょてちとだほぎゃもゃほぷづこょて /add
      4⤵
      PID:32
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぽけれむぷゅりめしえにゃしびぽけれむぷゅりめしえにゃしび /add && exit
  2⤵
  PID:1140
- - C:\Windows\system32\net.exe
    net user ぽけれむぷゅりめしえにゃしびぽけれむぷゅりめしえにゃしび /add
    3⤵
    PID:3088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぽけれむぷゅりめしえにゃしびぽけれむぷゅりめしえにゃしび /add
      4⤵
      PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょぎぢそんけいれょけさぺゅぞょぎぢそんけいれょけさぺゅぞ /add && exit
  2⤵
  PID:660
- - C:\Windows\system32\net.exe
    net user ょぎぢそんけいれょけさぺゅぞょぎぢそんけいれょけさぺゅぞ /add
    3⤵
    PID:1644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょぎぢそんけいれょけさぺゅぞょぎぢそんけいれょけさぺゅぞ /add
      4⤵
      PID:1012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user まふろてぴきくけばみゅりかいまふろてぴきくけばみゅりかい /add && exit
  2⤵
  PID:4344
- - C:\Windows\system32\net.exe
    net user まふろてぴきくけばみゅりかいまふろてぴきくけばみゅりかい /add
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user まふろてぴきくけばみゅりかいまふろてぴきくけばみゅりかい /add
      4⤵
      PID:4052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅきへにょそせだわべやこやがゅきへにょそせだわべやこやが /add && exit
  2⤵
  PID:952
- - C:\Windows\system32\net.exe
    net user ゅきへにょそせだわべやこやがゅきへにょそせだわべやこやが /add
    3⤵
    PID:1516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅきへにょそせだわべやこやがゅきへにょそせだわべやこやが /add
      4⤵
      PID:4648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user るゅせのすにてたのばけょぼゅるゅせのすにてたのばけょぼゅ /add && exit
  2⤵
  PID:2444
- - C:\Windows\system32\net.exe
    net user るゅせのすにてたのばけょぼゅるゅせのすにてたのばけょぼゅ /add
    3⤵
    PID:4936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user るゅせのすにてたのばけょぼゅるゅせのすにてたのばけょぼゅ /add
      4⤵
      PID:232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user でゅょゅすまけぺけれゅばばかでゅょゅすまけぺけれゅばばか /add && exit
  2⤵
  PID:4792
- - C:\Windows\system32\net.exe
    net user でゅょゅすまけぺけれゅばばかでゅょゅすまけぺけれゅばばか /add
    3⤵
    PID:2912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user でゅょゅすまけぺけれゅばばかでゅょゅすまけぺけれゅばばか /add
      4⤵
      PID:988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user むめつぷぞひれゃおにりおばぷむめつぷぞひれゃおにりおばぷ /add && exit
  2⤵
  PID:2944
- - C:\Windows\system32\net.exe
    net user むめつぷぞひれゃおにりおばぷむめつぷぞひれゃおにりおばぷ /add
    3⤵
    PID:4456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user むめつぷぞひれゃおにりおばぷむめつぷぞひれゃおにりおばぷ /add
      4⤵
      PID:4400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user やょむごめがえょゅつへゃでばやょむごめがえょゅつへゃでば /add && exit
  2⤵
  PID:3484
- - C:\Windows\system32\net.exe
    net user やょむごめがえょゅつへゃでばやょむごめがえょゅつへゃでば /add
    3⤵
    PID:1668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user やょむごめがえょゅつへゃでばやょむごめがえょゅつへゃでば /add
      4⤵
      PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user くぬぷめゃろゆゅぷばょゅでふくぬぷめゃろゆゅぷばょゅでふ /add && exit
  2⤵
  PID:2436
- - C:\Windows\system32\net.exe
    net user くぬぷめゃろゆゅぷばょゅでふくぬぷめゃろゆゅぷばょゅでふ /add
    3⤵
    PID:2140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user くぬぷめゃろゆゅぷばょゅでふくぬぷめゃろゆゅぷばょゅでふ /add
      4⤵
      PID:3584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ばうずゆあげれがごまぐぜゃゃばうずゆあげれがごまぐぜゃゃ /add && exit
  2⤵
  PID:4500
- - C:\Windows\system32\net.exe
    net user ばうずゆあげれがごまぐぜゃゃばうずゆあげれがごまぐぜゃゃ /add
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ばうずゆあげれがごまぐぜゃゃばうずゆあげれがごまぐぜゃゃ /add
      4⤵
      PID:3736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅしにけあづみうもょむゃぬゅゅしにけあづみうもょむゃぬゅ /add && exit
  2⤵
  PID:1040
- - C:\Windows\system32\net.exe
    net user ゅしにけあづみうもょむゃぬゅゅしにけあづみうもょむゃぬゅ /add
    3⤵
    PID:2724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅしにけあづみうもょむゃぬゅゅしにけあづみうもょむゃぬゅ /add
      4⤵
      PID:1200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user よゃきうにぼゆでちくょをじまよゃきうにぼゆでちくょをじま /add && exit
  2⤵
  PID:3944
- - C:\Windows\system32\net.exe
    net user よゃきうにぼゆでちくょをじまよゃきうにぼゆでちくょをじま /add
    3⤵
    PID:3984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user よゃきうにぼゆでちくょをじまよゃきうにぼゆでちくょをじま /add
      4⤵
      PID:1192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user だあゅびにゃひたけげゅべょわだあゅびにゃひたけげゅべょわ /add && exit
  2⤵
  PID:4532
- - C:\Windows\system32\net.exe
    net user だあゅびにゃひたけげゅべょわだあゅびにゃひたけげゅべょわ /add
    3⤵
    PID:4280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user だあゅびにゃひたけげゅべょわだあゅびにゃひたけげゅべょわ /add
      4⤵
      PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user すゃぢぼろょみゅょょれもたゅすゃぢぼろょみゅょょれもたゅ /add && exit
  2⤵
  PID:2160
- - C:\Windows\system32\net.exe
    net user すゃぢぼろょみゅょょれもたゅすゃぢぼろょみゅょょれもたゅ /add
    3⤵
    PID:2452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user すゃぢぼろょみゅょょれもたゅすゃぢぼろょみゅょょれもたゅ /add
      4⤵
      PID:4756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user みゅはへろゅなへぶひはぜんいみゅはへろゅなへぶひはぜんい /add && exit
  2⤵
  PID:3692
- - C:\Windows\system32\net.exe
    net user みゅはへろゅなへぶひはぜんいみゅはへろゅなへぶひはぜんい /add
    3⤵
    PID:2832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user みゅはへろゅなへぶひはぜんいみゅはへろゅなへぶひはぜんい /add
      4⤵
      PID:1464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ざばゅょろいさょぎぷさゃょそざばゅょろいさょぎぷさゃょそ /add && exit
  2⤵
  PID:348
- - C:\Windows\system32\net.exe
    net user ざばゅょろいさょぎぷさゃょそざばゅょろいさょぎぷさゃょそ /add
    3⤵
    PID:1124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ざばゅょろいさょぎぷさゃょそざばゅょろいさょぎぷさゃょそ /add
      4⤵
      PID:276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user くょょょぶこたれほえゃをけづくょょょぶこたれほえゃをけづ /add && exit
  2⤵
  PID:4228
- - C:\Windows\system32\net.exe
    net user くょょょぶこたれほえゃをけづくょょょぶこたれほえゃをけづ /add
    3⤵
    PID:1288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user くょょょぶこたれほえゃをけづくょょょぶこたれほえゃをけづ /add
      4⤵
      PID:724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ばぞびおょちにけしやもそりかばぞびおょちにけしやもそりか /add && exit
  2⤵
  PID:2244
- - C:\Windows\system32\net.exe
    net user ばぞびおょちにけしやもそりかばぞびおょちにけしやもそりか /add
    3⤵
    PID:1168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ばぞびおょちにけしやもそりかばぞびおょちにけしやもそりか /add
      4⤵
      PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user つやぎあけねふだゅぷばゅぺげつやぎあけねふだゅぷばゅぺげ /add && exit
  2⤵
  PID:2272
- - C:\Windows\system32\net.exe
    net user つやぎあけねふだゅぷばゅぺげつやぎあけねふだゅぷばゅぺげ /add
    3⤵
    PID:420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user つやぎあけねふだゅぷばゅぺげつやぎあけねふだゅぷばゅぺげ /add
      4⤵
      PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user よをたどけむちすゃすゃえいばよをたどけむちすゃすゃえいば /add && exit
  2⤵
  PID:3468
- - C:\Windows\system32\net.exe
    net user よをたどけむちすゃすゃえいばよをたどけむちすゃすゃえいば /add
    3⤵
    PID:580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user よをたどけむちすゃすゃえいばよをたどけむちすゃすゃえいば /add
      4⤵
      PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user だぜゃねけれかぱづぜべねむゃだぜゃねけれかぱづぜべねむゃ /add && exit
  2⤵
  PID:1144
- - C:\Windows\system32\net.exe
    net user だぜゃねけれかぱづぜべねむゃだぜゃねけれかぱづぜべねむゃ /add
    3⤵
    PID:4920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user だぜゃねけれかぱづぜべねむゃだぜゃねけれかぱづぜべねむゃ /add
      4⤵
      PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user へゃてきざよらゅぜやねにむりへゃてきざよらゅぜやねにむり /add && exit
  2⤵
  PID:4704
- - C:\Windows\system32\net.exe
    net user へゃてきざよらゅぜやねにむりへゃてきざよらゅぜやねにむり /add
    3⤵
    PID:988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user へゃてきざよらゅぜやねにむりへゃてきざよらゅぜやねにむり /add
      4⤵
      PID:4400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぎえゅぱざがへへらゃくれびじぎえゅぱざがへへらゃくれびじ /add && exit
  2⤵
  PID:3348
- - C:\Windows\system32\net.exe
    net user ぎえゅぱざがへへらゃくれびじぎえゅぱざがへへらゃくれびじ /add
    3⤵
    PID:4084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぎえゅぱざがへへらゃくれびじぎえゅぱざがへへらゃくれびじ /add
      4⤵
      PID:3132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょぬとゃごべきらきぶょゅはゃょぬとゃごべきらきぶょゅはゃ /add && exit
  2⤵
  PID:1064
- - C:\Windows\system32\net.exe
    net user ょぬとゃごべきらきぶょゅはゃょぬとゃごべきらきぶょゅはゃ /add
    3⤵
    PID:4328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょぬとゃごべきらきぶょゅはゃょぬとゃごべきらきぶょゅはゃ /add
      4⤵
      PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ろいおゃゅゃすおゃばゆざだねろいおゃゅゃすおゃばゆざだね /add && exit
  2⤵
  PID:2988
- - C:\Windows\system32\net.exe
    net user ろいおゃゅゃすおゃばゆざだねろいおゃゅゃすおゃばゆざだね /add
    3⤵
    PID:896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ろいおゃゅゃすおゃばゆざだねろいおゃゅゃすおゃばゆざだね /add
      4⤵
      PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user そるるょてぷんうゅょゅげぞゅそるるょてぷんうゅょゅげぞゅ /add && exit
  2⤵
  PID:1504
- - C:\Windows\system32\net.exe
    net user そるるょてぷんうゅょゅげぞゅそるるょてぷんうゅょゅげぞゅ /add
    3⤵
    PID:1500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user そるるょてぷんうゅょゅげぞゅそるるょてぷんうゅょゅげぞゅ /add
      4⤵
      PID:4108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user つょぞづゅゅくさざょょれてゃつょぞづゅゅくさざょょれてゃ /add && exit
  2⤵
  PID:3920
- - C:\Windows\system32\net.exe
    net user つょぞづゅゅくさざょょれてゃつょぞづゅゅくさざょょれてゃ /add
    3⤵
    PID:4940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user つょぞづゅゅくさざょょれてゃつょぞづゅゅくさざょょれてゃ /add
      4⤵
      PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user こらでおらゅほぺみおはでげづこらでおらゅほぺみおはでげづ /add && exit
  2⤵
  PID:3260
- - C:\Windows\system32\net.exe
    net user こらでおらゅほぺみおはでげづこらでおらゅほぺみおはでげづ /add
    3⤵
    PID:1444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user こらでおらゅほぺみおはでげづこらでおらゅほぺみおはでげづ /add
      4⤵
      PID:1464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user へぎひべらおてはたるこょょゃへぎひべらおてはたるこょょゃ /add && exit
  2⤵
  PID:2616
- - C:\Windows\system32\net.exe
    net user へぎひべらおてはたるこょょゃへぎひべらおてはたるこょょゃ /add
    3⤵
    PID:4744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user へぎひべらおてはたるこょょゃへぎひべらおてはたるこょょゃ /add
      4⤵
      PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぎぢゃふらすくょけょょあすゃぎぢゃふらすくょけょょあすゃ /add && exit
  2⤵
  PID:4852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2052
- - C:\Windows\system32\net.exe
    net user ぎぢゃふらすくょけょょあすゃぎぢゃふらすくょけょょあすゃ /add
    3⤵
    PID:2096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぎぢゃふらすくょけょょあすゃぎぢゃふらすくょけょょあすゃ /add
      4⤵
      PID:4620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user とおまさょこるょゅびげけすげとおまさょこるょゅびげけすげ /add && exit
  2⤵
  PID:4756
- - C:\Windows\system32\net.exe
    net user とおまさょこるょゅびげけすげとおまさょこるょゅびげけすげ /add
    3⤵
    PID:648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user とおまさょこるょゅびげけすげとおまさょこるょゅびげけすげ /add
      4⤵
      PID:2172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user らきばぽゅてまれゃきもてろばらきばぽゅてまれゃきもてろば /add && exit
  2⤵
  PID:2416
- - C:\Windows\system32\net.exe
    net user らきばぽゅてまれゃきもてろばらきばぽゅてまれゃきもてろば /add
    3⤵
    PID:688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user らきばぽゅてまれゃきもてろばらきばぽゅてまれゃきもてろば /add
      4⤵
      PID:3300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぢちぶめゅふとおどげてらょゃぢちぶめゅふとおどげてらょゃ /add && exit
  2⤵
  PID:3272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:276
- - C:\Windows\system32\net.exe
    net user ぢちぶめゅふとおどげてらょゃぢちぶめゅふとおどげてらょゃ /add
    3⤵
    PID:4908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぢちぶめゅふとおどげてらょゃぢちぶめゅふとおどげてらょゃ /add
      4⤵
      PID:4224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user そゅげゆおもはぜろゅょけかなそゅげゆおもはぜろゅょけかな /add && exit
  2⤵
  PID:3048
- - C:\Windows\system32\net.exe
    net user そゅげゆおもはぜろゅょけかなそゅげゆおもはぜろゅょけかな /add
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user そゅげゆおもはぜろゅょけかなそゅげゆおもはぜろゅょけかな /add
      4⤵
      PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぷょもりひれますのちわょやべぷょもりひれますのちわょやべ /add && exit
  2⤵
  PID:2920
- - C:\Windows\system32\net.exe
    net user ぷょもりひれますのちわょやべぷょもりひれますのちわょやべ /add
    3⤵
    PID:868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぷょもりひれますのちわょやべぷょもりひれますのちわょやべ /add
      4⤵
      PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅょういはごなぱけづふばぱゃゅょういはごなぱけづふばぱゃ /add && exit
  2⤵
  PID:1696
- - C:\Windows\system32\net.exe
    net user ゅょういはごなぱけづふばぱゃゅょういはごなぱけづふばぱゃ /add
    3⤵
    PID:1032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅょういはごなぱけづふばぱゃゅょういはごなぱけづふばぱゃ /add
      4⤵
      PID:2560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user わびょかぎぢははょゅょぱばねわびょかぎぢははょゅょぱばね /add && exit
  2⤵
  PID:1920
- - C:\Windows\system32\net.exe
    net user わびょかぎぢははょゅょぱばねわびょかぎぢははょゅょぱばね /add
    3⤵
    PID:4888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user わびょかぎぢははょゅょぱばねわびょかぎぢははょゅょぱばね /add
      4⤵
      PID:4084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user あれゃけぺべみょぽはざゆほぷあれゃけぺべみょぽはざゆほぷ /add && exit
  2⤵
  PID:1792
- - C:\Windows\system32\net.exe
    net user あれゃけぺべみょぽはざゆほぷあれゃけぺべみょぽはざゆほぷ /add
    3⤵
    PID:1508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user あれゃけぺべみょぽはざゆほぷあれゃけぺべみょぽはざゆほぷ /add
      4⤵
      PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぜにだしゅゅよれざぢたきでそぜにだしゅゅよれざぢたきでそ /add && exit
  2⤵
  PID:3036
- - C:\Windows\system32\net.exe
    net user ぜにだしゅゅよれざぢたきでそぜにだしゅゅよれざぢたきでそ /add
    3⤵
    PID:1036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぜにだしゅゅよれざぢたきでそぜにだしゅゅよれざぢたきでそ /add
      4⤵
      PID:1500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょまのゃゅゃひおやうけひゅひょまのゃゅゃひおやうけひゅひ /add && exit
  2⤵
  PID:908
- - C:\Windows\system32\net.exe
    net user ょまのゃゅゃひおやうけひゅひょまのゃゅゃひおやうけひゅひ /add
    3⤵
    PID:3704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょまのゃゅゃひおやうけひゅひょまのゃゅゃひおやうけひゅひ /add
      4⤵
      PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃりゃもゃゃたざとをゅがぬりゃりゃもゃゃたざとをゅがぬり /add && exit
  2⤵
  PID:4668
- - C:\Windows\system32\net.exe
    net user ゃりゃもゃゃたざとをゅがぬりゃりゃもゃゃたざとをゅがぬり /add
    3⤵
    PID:4236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゃりゃもゃゃたざとをゅがぬりゃりゃもゃゃたざとをゅがぬり /add
      4⤵
      PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぼゃふつやゃぐだたのるをぬおぼゃふつやゃぐだたのるをぬお /add && exit
  2⤵
  PID:1624
- - C:\Windows\system32\net.exe
    net user ぼゃふつやゃぐだたのるをぬおぼゃふつやゃぐだたのるをぬお /add
    3⤵
    PID:2280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぼゃふつやゃぐだたのるをぬおぼゃふつやゃぐだたのるをぬお /add
      4⤵
      PID:3852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぷへろけすくさべゃにほやゃばぷへろけすくさべゃにほやゃば /add && exit
  2⤵
  PID:3808
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4744
- - C:\Windows\system32\net.exe
    net user ぷへろけすくさべゃにほやゃばぷへろけすくさべゃにほやゃば /add
    3⤵
    PID:1568
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぷへろけすくさべゃにほやゃばぷへろけすくさべゃにほやゃば /add
      4⤵
      PID:620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user のけへうもたちねぼずゅかたろのけへうもたちねぼずゅかたろ /add && exit
  2⤵
  PID:800
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3984
- - C:\Windows\system32\net.exe
    net user のけへうもたちねぼずゅかたろのけへうもたちねぼずゅかたろ /add
    3⤵
    PID:1416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user のけへうもたちねぼずゅかたろのけへうもたちねぼずゅかたろ /add
      4⤵
      PID:2232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょがべゅゅしげへばもげおたけょがべゅゅしげへばもげおたけ /add && exit
  2⤵
  PID:2096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2172
- - C:\Windows\system32\net.exe
    net user ょがべゅゅしげへばもげおたけょがべゅゅしげへばもげおたけ /add
    3⤵
    PID:580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょがべゅゅしげへばもげおたけょがべゅゅしげへばもげおたけ /add
      4⤵
      PID:1412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user たぞみがゃならょんょめねがなたぞみがゃならょんょめねがな /add && exit
  2⤵
  PID:4948
- - C:\Windows\system32\net.exe
    net user たぞみがゃならょんょめねがなたぞみがゃならょんょめねがな /add
    3⤵
    PID:3840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user たぞみがゃならょんょめねがなたぞみがゃならょんょめねがな /add
      4⤵
      PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user やぼけこゃほふらへなつわょめやぼけこゃほふらへなつわょめ /add && exit
  2⤵
  PID:4076
- - C:\Windows\system32\net.exe
    net user やぼけこゃほふらへなつわょめやぼけこゃほふらへなつわょめ /add
    3⤵
    PID:4548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user やぼけこゃほふらへなつわょめやぼけこゃほふらへなつわょめ /add
      4⤵
      PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃをゃすいゆめおさずゅせけゃゃをゃすいゆめおさずゅせけゃ /add && exit
  2⤵
  PID:724
- - C:\Windows\system32\net.exe
    net user ゃをゃすいゆめおさずゅせけゃゃをゃすいゆめおさずゅせけゃ /add
    3⤵
    PID:4536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゃをゃすいゆめおさずゅせけゃゃをゃすいゆめおさずゅせけゃ /add
      4⤵
      PID:792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user んのぷたぬわりぜゅょろゅりねんのぷたぬわりぜゅょろゅりね /add && exit
  2⤵
  PID:4400
- - C:\Windows\system32\net.exe
    net user んのぷたぬわりぜゅょろゅりねんのぷたぬわりぜゅょろゅりね /add
    3⤵
    PID:4776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user んのぷたぬわりぜゅょろゅりねんのぷたぬわりぜゅょろゅりね /add
      4⤵
      PID:1376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user べめゆゅぬじへさゃほひえぺゆべめゆゅぬじへさゃほひえぺゆ /add && exit
  2⤵
  PID:4112
- - C:\Windows\system32\net.exe
    net user べめゆゅぬじへさゃほひえぺゆべめゆゅぬじへさゃほひえぺゆ /add
    3⤵
    PID:2728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user べめゆゅぬじへさゃほひえぺゆべめゆゅぬじへさゃほひえぺゆ /add
      4⤵
      PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user にせにゅわでもぱだびゅゃうゃにせにゅわでもぱだびゅゃうゃ /add && exit
  2⤵
  PID:1028
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4108
- - C:\Windows\system32\net.exe
    net user にせにゅわでもぱだびゅゃうゃにせにゅわでもぱだびゅゃうゃ /add
    3⤵
    PID:1508
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user にせにゅわでもぱだびゅゃうゃにせにゅわでもぱだびゅゃうゃ /add
      4⤵
      PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user るぬゅれわぷねねるきゃょむゅるぬゅれわぷねねるきゃょむゅ /add && exit
  2⤵
  PID:4424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2520
- - C:\Windows\system32\net.exe
    net user るぬゅれわぷねねるきゃょむゅるぬゅれわぷねねるきゃょむゅ /add
    3⤵
    PID:2984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user るぬゅれわぷねねるきゃょむゅるぬゅれわぷねねるきゃょむゅ /add
      4⤵
      PID:4176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ょいゅをべゅほょにらやばぶりょいゅをべゅほょにらやばぶり /add && exit
  2⤵
  PID:1460
- - C:\Windows\system32\net.exe
    net user ょいゅをべゅほょにらやばぶりょいゅをべゅほょにらやばぶり /add
    3⤵
    PID:2452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ょいゅをべゅほょにらやばぶりょいゅをべゅほょにらやばぶり /add
      4⤵
      PID:4252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user たしるきべゅてやかゅとゅゅざたしるきべゅてやかゅとゅゅざ /add && exit
  2⤵
  PID:2532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1444
- - C:\Windows\system32\net.exe
    net user たしるきべゅてやかゅとゅゅざたしるきべゅてやかゅとゅゅざ /add
    3⤵
    PID:3584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user たしるきべゅてやかゅとゅゅざたしるきべゅてやかゅとゅゅざ /add
      4⤵
      PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぺょはさゃゃのゃょたゃざはばぺょはさゃゃのゃょたゃざはば /add && exit
  2⤵
  PID:1192
- - C:\Windows\system32\net.exe
    net user ぺょはさゃゃのゃょたゃざはばぺょはさゃゃのゃょたゃざはば /add
    3⤵
    PID:1008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぺょはさゃゃのゃょたゃざはばぺょはさゃゃのゃょたゃざはば /add
      4⤵
      PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃあょぽょうせぐぺぢぼぽださゃあょぽょうせぐぺぢぼぽださ /add && exit
  2⤵
  PID:1568
- - C:\Windows\system32\net.exe
    net user ゃあょぽょうせぐぺぢぼぽださゃあょぽょうせぐぺぢぼぽださ /add
    3⤵
    PID:3372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゃあょぽょうせぐぺぢぼぽださゃあょぽょうせぐぺぢぼぽださ /add
      4⤵
      PID:3300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃぎょちみけやさげゃくゃゃゃゃぎょちみけやさげゃくゃゃゃ /add && exit
  2⤵
  PID:3548
- - C:\Windows\system32\net.exe
    net user ゃぎょちみけやさげゃくゃゃゃゃぎょちみけやさげゃくゃゃゃ /add
    3⤵
    PID:3812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゃぎょちみけやさげゃくゃゃゃゃぎょちみけやさげゃくゃゃゃ /add
      4⤵
      PID:4964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user いぢびょまつのべめのゃさといいぢびょまつのべめのゃさとい /add && exit
  2⤵
  PID:3084
- - C:\Windows\system32\net.exe
    net user いぢびょまつのべめのゃさといいぢびょまつのべめのゃさとい /add
    3⤵
    PID:4448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user いぢびょまつのべめのゃさといいぢびょまつのべめのゃさとい /add
      4⤵
      PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user なぱほりまひそなちぴゃまげせなぱほりまひそなちぴゃまげせ /add && exit
  2⤵
  PID:3880
- - C:\Windows\system32\net.exe
    net user なぱほりまひそなちぴゃまげせなぱほりまひそなちぴゃまげせ /add
    3⤵
    PID:1636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user なぱほりまひそなちぴゃまげせなぱほりまひそなちぴゃまげせ /add
      4⤵
      PID:4920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅがたろじめとゃばいよあゃづゅがたろじめとゃばいよあゃづ /add && exit
  2⤵
  PID:3264
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4860
- - C:\Windows\system32\net.exe
    net user ゅがたろじめとゃばいよあゃづゅがたろじめとゃばいよあゃづ /add
    3⤵
    PID:1056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅがたろじめとゃばいよあゃづゅがたろじめとゃばいよあゃづ /add
      4⤵
      PID:3132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぎゅざはおほじょゃゃゅばょねぎゅざはおほじょゃゃゅばょね /add && exit
  2⤵
  PID:1032
- - C:\Windows\system32\net.exe
    net user ぎゅざはおほじょゃゃゅばょねぎゅざはおほじょゃゃゅばょね /add
    3⤵
    PID:3860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぎゅざはおほじょゃゃゅばょねぎゅざはおほじょゃゃゅばょね /add
      4⤵
      PID:232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぱゅてゃおらろらょのゃてすゆぱゅてゃおらろらょのゃてすゆ /add && exit
  2⤵
  PID:4596
- - C:\Windows\system32\net.exe
    net user ぱゅてゃおらろらょのゃてすゆぱゅてゃおらろらょのゃてすゆ /add
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぱゅてゃおらろらょのゃてすゆぱゅてゃおらろらょのゃてすゆ /add
      4⤵
      PID:2912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぬょおゃとんぎおづだれゃろゃぬょおゃとんぎおづだれゃろゃ /add && exit
  2⤵
  PID:3076
- - C:\Windows\system32\net.exe
    net user ぬょおゃとんぎおづだれゃろゃぬょおゃとんぎおづだれゃろゃ /add
    3⤵
    PID:2440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぬょおゃとんぎおづだれゃろゃぬょおゃとんぎおづだれゃろゃ /add
      4⤵
      PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user れょぽざてぜよざろいはけょゅれょぽざてぜよざろいはけょゅ /add && exit
  2⤵
  PID:4084
- - C:\Windows\system32\net.exe
    net user れょぽざてぜよざろいはけょゅれょぽざてぜよざろいはけょゅ /add
    3⤵
    PID:3740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user れょぽざてぜよざろいはけょゅれょぽざてぜよざろいはけょゅ /add
      4⤵
      PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ばびぞぜるびろさのめゃょかりばびぞぜるびろさのめゃょかり /add && exit
  2⤵
  PID:1500
- - C:\Windows\system32\net.exe
    net user ばびぞぜるびろさのめゃょかりばびぞぜるびろさのめゃょかり /add
    3⤵
    PID:2176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ばびぞぜるびろさのめゃょかりばびぞぜるびろさのめゃょかり /add
      4⤵
      PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user じれれぢばぺぐぱきぼごがゆゃじれれぢばぺぐぱきぼごがゆゃ /add && exit
  2⤵
  PID:936
- - C:\Windows\system32\net.exe
    net user じれれぢばぺぐぱきぼごがゆゃじれれぢばぺぐぱきぼごがゆゃ /add
    3⤵
    PID:3772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user じれれぢばぺぐぱきぼごがゆゃじれれぢばぺぐぱきぼごがゆゃ /add
      4⤵
      PID:688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃごけなばゅよねゅさもぱぱばゃごけなばゅよねゅさもぱぱば /add && exit
  2⤵
  PID:2784
- - C:\Windows\system32\net.exe
    net user ゃごけなばゅよねゅさもぱぱばゃごけなばゅよねゅさもぱぱば /add
    3⤵
    PID:3300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゃごけなばゅよねゅさもぱぱばゃごけなばゅよねゅさもぱぱば /add
      4⤵
      PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ふまゃねょょわょぺろおゆけろふまゃねょょわょぺろおゆけろ /add && exit
  2⤵
  PID:2232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:32
- - C:\Windows\system32\net.exe
    net user ふまゃねょょわょぺろおゆけろふまゃねょょわょぺろおゆけろ /add
    3⤵
    PID:2320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ふまゃねょょわょぺろおゆけろふまゃねょょわょぺろおゆけろ /add
      4⤵
      PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぎりでゃょょむやずゅゃだほぞぎりでゃょょむやずゅゃだほぞ /add && exit
  2⤵
  PID:460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3840
- - C:\Windows\system32\net.exe
    net user ぎりでゃょょむやずゅゃだほぞぎりでゃょょむやずゅゃだほぞ /add
    3⤵
    PID:3824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぎりでゃょょむやずゅゃだほぞぎりでゃょょむやずゅゃだほぞ /add
      4⤵
      PID:4576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぱげふがょかにゅよほべゅでぴぱげふがょかにゅよほべゅでぴ /add && exit
  2⤵
  PID:1628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4448
- - C:\Windows\system32\net.exe
    net user ぱげふがょかにゅよほべゅでぴぱげふがょかにゅよほべゅでぴ /add
    3⤵
    PID:956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぱげふがょかにゅよほべゅでぴぱげふがょかにゅよほべゅでぴ /add
      4⤵
      PID:4864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user らゅぶほふいぞおめこぬゃでめらゅぶほふいぞおめこぬゃでめ /add && exit
  2⤵
  PID:1376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2728
- - C:\Windows\system32\net.exe
    net user らゅぶほふいぞおめこぬゃでめらゅぶほふいぞおめこぬゃでめ /add
    3⤵
    PID:3884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user らゅぶほふいぞおめこぬゃでめらゅぶほふいぞおめこぬゃでめ /add
      4⤵
      PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user れらゅしかにちおえかしぼぬひれらゅしかにちおえかしぼぬひ /add && exit
  2⤵
  PID:4188
- - C:\Windows\system32\net.exe
    net user れらゅしかにちおえかしぼぬひれらゅしかにちおえかしぼぬひ /add
    3⤵
    PID:4752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user れらゅしかにちおえかしぼぬひれらゅしかにちおえかしぼぬひ /add
      4⤵
      PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user おつぶそひへぬばょらょやずぽおつぶそひへぬばょらょやずぽ /add && exit
  2⤵
  PID:3860
- - C:\Windows\system32\net.exe
    net user おつぶそひへぬばょらょやずぽおつぶそひへぬばょらょやずぽ /add
    3⤵
    PID:3416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user おつぶそひへぬばょらょやずぽおつぶそひへぬばょらょやずぽ /add
      4⤵
      PID:4032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ぷぞいばぽのぞぴゅてみめずゆぷぞいばぽのぞぴゅてみめずゆ /add && exit
  2⤵
  PID:4936
- - C:\Windows\system32\net.exe
    net user ぷぞいばぽのぞぴゅてみめずゆぷぞいばぽのぞぴゅてみめずゆ /add
    3⤵
    PID:4912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ぷぞいばぽのぞぴゅてみめずゆぷぞいばぽのぞぴゅてみめずゆ /add
      4⤵
      PID:4152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゅぼぴづぽめをねびばたずゃぐゅぼぴづぽめをねびばたずゃぐ /add && exit
  2⤵
  PID:4552
- - C:\Windows\system32\net.exe
    net user ゅぼぴづぽめをねびばたずゃぐゅぼぴづぽめをねびばたずゃぐ /add
    3⤵
    PID:2592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ゅぼぴづぽめをねびばたずゃぐゅぼぴづぽめをねびばたずゃぐ /add
      4⤵
      PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ふゃうゅぺざねめまぎょゅがょふゃうゅぺざねめまぎょゅがょ /add && exit
  2⤵
  PID:3356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4964
- - C:\Windows\system32\net.exe
    net user ふゃうゅぺざねめまぎょゅがょふゃうゅぺざねめまぎょゅがょ /add
    3⤵
    PID:3112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user ふゃうゅぺざねめまぎょゅがょふゃうゅぺざねめまぎょゅがょ /add
      4⤵
      PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user とめかふそぢんゃさぽのせょざとめかふそぢんゃさぽのせょざ /add && exit
  2⤵
  PID:5084
- - C:\Windows\system32\net.exe
    net user とめかふそぢんゃさぽのせょざとめかふそぢんゃさぽのせょざ /add
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user とめかふそぢんゃさぽのせょざとめかふそぢんゃさぽのせょざ /add
      4⤵
      PID:988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user らろゃゅそぼもぐゃそけめこべらろゃゅそぼもぐゃそけめこべ /add && exit
  2⤵
  PID:3332
- - C:\Windows\system32\net.exe
    net user らろゃゅそぼもぐゃそけめこべらろゃゅそぼもぐゃそけめこべ /add
    3⤵
    PID:3824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user らろゃゅそぼもぐゃそけめこべらろゃゅそぼもぐゃそけめこべ /add
      4⤵
      PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user ゃぬぢゅゆょるくゃぎぽえりさゃぬぢゅゆょるくゃぎぽえりさ /add && exit
  2⤵
  PID:1148
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4280
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3969055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\べちえもぱやずべまむそづゅくまむもよほてぴてけばぺこゃまがしけぐわうしひゃろゃけばこまぐをょょげもけふょぶよゅわおいどぜずなたちほばしゅゅいぞゃげひじぞょぜぐゅははょわょたょええぶてぴゃひれよょしたゅ

Filesize
666B

MD5
9e1e5883c74742a497cf5c272ccd2321

SHA1
2cf33e34d08b8e17743a60352baffef4b6f02dee

SHA256
ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

SHA512
f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

Download Submit
memory/2308-0-0x0000015F2B620000-0x0000015F2BA94000-memory.dmp

Filesize
4.5MB

Download
memory/2308-1-0x00007FFCFB773000-0x00007FFCFB775000-memory.dmp

Filesize
8KB

Download
memory/2308-15-0x00007FFCFB770000-0x00007FFCFC232000-memory.dmp

Filesize
10.8MB

Download
memory/2308-359-0x00007FFCFB770000-0x00007FFCFC232000-memory.dmp

Filesize
10.8MB

Download
memory/2308-1036-0x00007FFCFB770000-0x00007FFCFC232000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads