Analysis
-
max time kernel
48s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2025, 21:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe
-
Size
1020KB
-
MD5
b00543b6e9ead74528eb07622f2f5c94
-
SHA1
36310f1caec808d700c5f8147ebb1b6f60aee09a
-
SHA256
075f8ff04a2ce29d55c82f2fabfa76187e0933b6b154614b45d5c5fdd41ed2a3
-
SHA512
7f2937a25b363b139839cf491e7e9e2097ab5d469b3d8486aa23782b816fc63a7bd43f522c0fab1780dd80db32a0d5c84df635851ceb1f7d64bffc84e294bd4b
-
SSDEEP
6144:YKEGlVcJboOtGY8q75yKC2qJDrNRlpwPBYgZ9fVU93eJwN6QFbSpO4XcA2n4aA8O:YKr3QboC9qLGKgZKe4HYpHvcbTV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00090000000229e2-4.dat family_pykspa behavioral1/files/0x000700000002425a-83.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "jjvvklztpfbdiyidunff.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "czifrparkxqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "ljtredphbpjjmaibqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "czifrparkxqpreldr.exe" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "czifrparkxqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "vrzvgdndvhzxykqh.exe" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhkbhzepcjw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhnhqlthxhxtsc = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjivxlm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjivxlm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjivxlm.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation czifrparkxqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vrzvgdndvhzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wvgfttgzujefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation ljtredphbpjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jjvvklztpfbdiyidunff.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yzmndfupmdadjalhztmna.exe -
Executes dropped EXE 64 IoCs
pid Process 1484 qjfmnzhratp.exe 3480 jjvvklztpfbdiyidunff.exe 5184 jjvvklztpfbdiyidunff.exe 4972 qjfmnzhratp.exe 4740 vrzvgdndvhzxykqh.exe 4920 ljtredphbpjjmaibqh.exe 4356 czifrparkxqpreldr.exe 4592 qjfmnzhratp.exe 3492 czifrparkxqpreldr.exe 5396 qjfmnzhratp.exe 1100 czifrparkxqpreldr.exe 1560 jjvvklztpfbdiyidunff.exe 864 qjfmnzhratp.exe 3984 wjivxlm.exe 1544 wjivxlm.exe 3176 vrzvgdndvhzxykqh.exe 2792 czifrparkxqpreldr.exe 1572 jjvvklztpfbdiyidunff.exe 880 ljtredphbpjjmaibqh.exe 2840 qjfmnzhratp.exe 1120 qjfmnzhratp.exe 5360 jjvvklztpfbdiyidunff.exe 1056 ljtredphbpjjmaibqh.exe 5504 yzmndfupmdadjalhztmna.exe 2360 czifrparkxqpreldr.exe 2064 jjvvklztpfbdiyidunff.exe 5960 jjvvklztpfbdiyidunff.exe 5972 ljtredphbpjjmaibqh.exe 4796 wvgfttgzujefjyhbrja.exe 5936 qjfmnzhratp.exe 5764 qjfmnzhratp.exe 4756 qjfmnzhratp.exe 5812 jjvvklztpfbdiyidunff.exe 5828 jjvvklztpfbdiyidunff.exe 5352 vrzvgdndvhzxykqh.exe 4056 jjvvklztpfbdiyidunff.exe 4780 wvgfttgzujefjyhbrja.exe 4744 qjfmnzhratp.exe 4192 yzmndfupmdadjalhztmna.exe 5148 czifrparkxqpreldr.exe 5596 qjfmnzhratp.exe 5008 qjfmnzhratp.exe 1100 qjfmnzhratp.exe 1548 yzmndfupmdadjalhztmna.exe 2044 vrzvgdndvhzxykqh.exe 624 ljtredphbpjjmaibqh.exe 3980 qjfmnzhratp.exe 1688 qjfmnzhratp.exe 1780 jjvvklztpfbdiyidunff.exe 3420 czifrparkxqpreldr.exe 5544 qjfmnzhratp.exe 760 jjvvklztpfbdiyidunff.exe 5436 yzmndfupmdadjalhztmna.exe 460 qjfmnzhratp.exe 2348 vrzvgdndvhzxykqh.exe 1572 wvgfttgzujefjyhbrja.exe 5276 vrzvgdndvhzxykqh.exe 572 qjfmnzhratp.exe 768 czifrparkxqpreldr.exe 3644 qjfmnzhratp.exe 5432 wvgfttgzujefjyhbrja.exe 1256 czifrparkxqpreldr.exe 3948 wvgfttgzujefjyhbrja.exe 4460 yzmndfupmdadjalhztmna.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys wjivxlm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc wjivxlm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager wjivxlm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys wjivxlm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc wjivxlm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power wjivxlm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "ljtredphbpjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "czifrparkxqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "ljtredphbpjjmaibqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "czifrparkxqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "czifrparkxqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "yzmndfupmdadjalhztmna.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "wvgfttgzujefjyhbrja.exe ." wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe ." wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe ." wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "vrzvgdndvhzxykqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe ." wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "wvgfttgzujefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "yzmndfupmdadjalhztmna.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "jjvvklztpfbdiyidunff.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "vrzvgdndvhzxykqh.exe" wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "ljtredphbpjjmaibqh.exe ." wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe ." wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "yzmndfupmdadjalhztmna.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\czifrparkxqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "wvgfttgzujefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wvgfttgzujefjyhbrja.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jjvvklztpfbdiyidunff.exe ." wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrzvgdndvhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "ljtredphbpjjmaibqh.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe" wjivxlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "jjvvklztpfbdiyidunff.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlsnxtcritkhhsx = "yzmndfupmdadjalhztmna.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ljtredphbpjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljtredphbpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vrzvgdndvhzxykqh = "wvgfttgzujefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nfjbibhthpdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe" wjivxlm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzmndfupmdadjalhztmna.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfkdlfmzoxmhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czifrparkxqpreldr.exe ." qjfmnzhratp.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wjivxlm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wjivxlm.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 www.whatismyip.ca 23 whatismyip.everdot.org 29 whatismyip.everdot.org 39 www.whatismyip.ca 10 www.whatismyip.ca 11 whatismyipaddress.com 14 whatismyip.everdot.org 15 www.showmyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf wjivxlm.exe File created C:\autorun.inf wjivxlm.exe File opened for modification F:\autorun.inf wjivxlm.exe File created F:\autorun.inf wjivxlm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wvgfttgzujefjyhbrja.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe wjivxlm.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dlfnktprvtxhusknmnnvpxud.bfd wjivxlm.exe File created C:\Program Files (x86)\dlfnktprvtxhusknmnnvpxud.bfd wjivxlm.exe File opened for modification C:\Program Files (x86)\mfkdlfmzoxmhforfpbmfkdlfmzoxmhforfp.mfk wjivxlm.exe File created C:\Program Files (x86)\mfkdlfmzoxmhforfpbmfkdlfmzoxmhforfp.mfk wjivxlm.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe wjivxlm.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe wjivxlm.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe wjivxlm.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe wjivxlm.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe wjivxlm.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe wjivxlm.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\czifrparkxqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jjvvklztpfbdiyidunff.exe qjfmnzhratp.exe File opened for modification C:\Windows\prfhybrnldbfmeqngbvxln.exe qjfmnzhratp.exe File opened for modification C:\Windows\yzmndfupmdadjalhztmna.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\ljtredphbpjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wvgfttgzujefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\vrzvgdndvhzxykqh.exe qjfmnzhratp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjivxlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvklztpfbdiyidunff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrzvgdndvhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzmndfupmdadjalhztmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wvgfttgzujefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czifrparkxqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljtredphbpjjmaibqh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 1544 wjivxlm.exe 1544 wjivxlm.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 1544 wjivxlm.exe 1544 wjivxlm.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1544 wjivxlm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5840 wrote to memory of 1484 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 87 PID 5840 wrote to memory of 1484 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 87 PID 5840 wrote to memory of 1484 5840 JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe 87 PID 4504 wrote to memory of 3480 4504 cmd.exe 90 PID 4504 wrote to memory of 3480 4504 cmd.exe 90 PID 4504 wrote to memory of 3480 4504 cmd.exe 90 PID 1140 wrote to memory of 5184 1140 cmd.exe 93 PID 1140 wrote to memory of 5184 1140 cmd.exe 93 PID 1140 wrote to memory of 5184 1140 cmd.exe 93 PID 5184 wrote to memory of 4972 5184 jjvvklztpfbdiyidunff.exe 96 PID 5184 wrote to memory of 4972 5184 jjvvklztpfbdiyidunff.exe 96 PID 5184 wrote to memory of 4972 5184 jjvvklztpfbdiyidunff.exe 96 PID 2276 wrote to memory of 4740 2276 cmd.exe 99 PID 2276 wrote to memory of 4740 2276 cmd.exe 99 PID 2276 wrote to memory of 4740 2276 cmd.exe 99 PID 4716 wrote to memory of 4920 4716 cmd.exe 102 PID 4716 wrote to memory of 4920 4716 cmd.exe 102 PID 4716 wrote to memory of 4920 4716 cmd.exe 102 PID 4892 wrote to memory of 4356 4892 cmd.exe 105 PID 4892 wrote to memory of 4356 4892 cmd.exe 105 PID 4892 wrote to memory of 4356 4892 cmd.exe 105 PID 4920 wrote to memory of 4592 4920 ljtredphbpjjmaibqh.exe 106 PID 4920 wrote to memory of 4592 4920 ljtredphbpjjmaibqh.exe 106 PID 4920 wrote to memory of 4592 4920 ljtredphbpjjmaibqh.exe 106 PID 5148 wrote to memory of 3492 5148 cmd.exe 107 PID 5148 wrote to memory of 3492 5148 cmd.exe 107 PID 5148 wrote to memory of 3492 5148 cmd.exe 107 PID 3492 wrote to memory of 5396 3492 czifrparkxqpreldr.exe 110 PID 3492 wrote to memory of 5396 3492 czifrparkxqpreldr.exe 110 PID 3492 wrote to memory of 5396 3492 czifrparkxqpreldr.exe 110 PID 5684 wrote to memory of 1100 5684 cmd.exe 189 PID 5684 wrote to memory of 1100 5684 cmd.exe 189 PID 5684 wrote to memory of 1100 5684 cmd.exe 189 PID 3896 wrote to memory of 1560 3896 cmd.exe 114 PID 3896 wrote to memory of 1560 3896 cmd.exe 114 PID 3896 wrote to memory of 1560 3896 cmd.exe 114 PID 1560 wrote to memory of 864 1560 jjvvklztpfbdiyidunff.exe 115 PID 1560 wrote to memory of 864 1560 jjvvklztpfbdiyidunff.exe 115 PID 1560 wrote to memory of 864 1560 jjvvklztpfbdiyidunff.exe 115 PID 1484 wrote to memory of 3984 1484 qjfmnzhratp.exe 116 PID 1484 wrote to memory of 3984 1484 qjfmnzhratp.exe 116 PID 1484 wrote to memory of 3984 1484 qjfmnzhratp.exe 116 PID 1484 wrote to memory of 1544 1484 qjfmnzhratp.exe 117 PID 1484 wrote to memory of 1544 1484 qjfmnzhratp.exe 117 PID 1484 wrote to memory of 1544 1484 qjfmnzhratp.exe 117 PID 1304 wrote to memory of 3176 1304 cmd.exe 207 PID 1304 wrote to memory of 3176 1304 cmd.exe 207 PID 1304 wrote to memory of 3176 1304 cmd.exe 207 PID 1232 wrote to memory of 2792 1232 cmd.exe 123 PID 1232 wrote to memory of 2792 1232 cmd.exe 123 PID 1232 wrote to memory of 2792 1232 cmd.exe 123 PID 5292 wrote to memory of 1572 5292 cmd.exe 217 PID 5292 wrote to memory of 1572 5292 cmd.exe 217 PID 5292 wrote to memory of 1572 5292 cmd.exe 217 PID 3016 wrote to memory of 880 3016 cmd.exe 133 PID 3016 wrote to memory of 880 3016 cmd.exe 133 PID 3016 wrote to memory of 880 3016 cmd.exe 133 PID 1572 wrote to memory of 2840 1572 jjvvklztpfbdiyidunff.exe 138 PID 1572 wrote to memory of 2840 1572 jjvvklztpfbdiyidunff.exe 138 PID 1572 wrote to memory of 2840 1572 jjvvklztpfbdiyidunff.exe 138 PID 880 wrote to memory of 1120 880 ljtredphbpjjmaibqh.exe 325 PID 880 wrote to memory of 1120 880 ljtredphbpjjmaibqh.exe 325 PID 880 wrote to memory of 1120 880 ljtredphbpjjmaibqh.exe 325 PID 2992 wrote to memory of 5360 2992 cmd.exe 148 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wjivxlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wjivxlm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b00543b6e9ead74528eb07622f2f5c94.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b00543b6e9ead74528eb07622f2f5c94.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\wjivxlm.exe"C:\Users\Admin\AppData\Local\Temp\wjivxlm.exe" "-C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3984
-
-
C:\Users\Admin\AppData\Local\Temp\wjivxlm.exe"C:\Users\Admin\AppData\Local\Temp\wjivxlm.exe" "-C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵
- Executes dropped EXE
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Executes dropped EXE
PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5684 -
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵
- Executes dropped EXE
PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵
- Executes dropped EXE
PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵
- Executes dropped EXE
PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:1876
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:5380
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5960 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵
- Executes dropped EXE
PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:3052
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- Executes dropped EXE
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵
- Executes dropped EXE
PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5972 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5548
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵
- Executes dropped EXE
PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵
- Executes dropped EXE
PID:5596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:3480
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵
- Executes dropped EXE
PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:4816
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:2276
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵
- Executes dropped EXE
PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵
- Executes dropped EXE
PID:624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Executes dropped EXE
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:2180
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵
- Executes dropped EXE
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:2632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3176
-
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5436 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵
- Executes dropped EXE
PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:1304
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵
- Executes dropped EXE
PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:3544
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- Executes dropped EXE
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵
- Executes dropped EXE
PID:572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵
- Executes dropped EXE
PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Executes dropped EXE
PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:4340
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵
- Executes dropped EXE
PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:3016
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵
- Executes dropped EXE
PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵
- Executes dropped EXE
PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:3912
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5700 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:3212
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:4576
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:4488
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:4372
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:1012
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:5788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:3964
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:6096
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:424 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:4356
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:2044
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:3268
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:5272
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:5280
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1120
-
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:4764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5544
-
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5700
-
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:4560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
PID:8 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:5368
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:1508
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- Checks computer location settings
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:6036
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:4708
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:2416
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5880
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:5068
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:536
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:1284
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:5220
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:2632
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:6008
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
PID:748 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:608
-
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:4160
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:4548
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:5348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:3992
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:5664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4128
-
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:3232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:1160
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:1796
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:5344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5788
-
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:816
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:1248
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:1116
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:3776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6068
-
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:2384
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:5040
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:4380
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:536
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:5252
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:6040
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:1880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:884
-
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:1752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4672
-
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:4540
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5800
-
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1548
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:2180
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:2956
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:3976
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:4592
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:1924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:2948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:5196
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:912
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:2016
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:1808
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:5328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:3220
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:6060
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:4420
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:3124
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5888 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:2008
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:3660
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:4068
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:5280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3824
-
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:3016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:6008
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5496
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:6032
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:4284
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:1808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:3232
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:5284
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:5796
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- Checks computer location settings
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:5568
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:2704
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4420
-
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:4616
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:4852
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵
- Checks computer location settings
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:5344
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:1240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4648
-
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
PID:224 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:4656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5604
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5412
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5484
-
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵
- Checks computer location settings
PID:376 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:4432
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:3336
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5552
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:1120
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵
- Checks computer location settings
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:4924
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:4540
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:4592
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:5100
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵
- Checks computer location settings
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:2436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵
- Checks computer location settings
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:748
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:1388
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:2044
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:4648
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:552
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:4688
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:2988
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:5248
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:4024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:5168
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:2192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:4924
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5960
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:3760
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:608
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:772
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:4712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5328
-
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:3176
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:1356
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:1668
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:1056
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:4756
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:2348
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:5460
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:3140
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4768
-
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5064
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:5168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:4056
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:2876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:5852
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:396
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:2752
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:3420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:5616
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:2344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1380
-
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:376
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:5008
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:436
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:2168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5888
-
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:3952
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:3216
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:3708
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:5048
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:3300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:4456
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:1124
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:1916
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:5756
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:5200
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:4508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:60
-
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:5184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:2144
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:3592
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:2424
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:6068
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:4484
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:4340
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:3616
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:1248
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:2748
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:4020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2556
-
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:4460
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:2812
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:5204
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:68
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .1⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe .2⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\ljtredphbpjjmaibqh.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:2292
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:5516
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:884
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\czifrparkxqpreldr.exe*."3⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:2976
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:3628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:3232
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:3088
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:3996
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vrzvgdndvhzxykqh.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:2360
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:5148
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:3796
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe .1⤵PID:6140
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe .2⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wvgfttgzujefjyhbrja.exe*."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .1⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jjvvklztpfbdiyidunff.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:2988
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:3248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2860
-
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5404
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:3360
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:3952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2368
-
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:5696
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:3660
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:5512
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:2352
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yzmndfupmdadjalhztmna.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exeC:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yzmndfupmdadjalhztmna.exe*."3⤵PID:3044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:2708
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:448
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:6132
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe .1⤵PID:1752
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jjvvklztpfbdiyidunff.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:5436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe1⤵PID:3740
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:5336
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jjvvklztpfbdiyidunff.exe1⤵PID:1808
-
C:\Windows\jjvvklztpfbdiyidunff.exejjvvklztpfbdiyidunff.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe .1⤵PID:3772
-
C:\Windows\vrzvgdndvhzxykqh.exevrzvgdndvhzxykqh.exe .2⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vrzvgdndvhzxykqh.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe1⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\ljtredphbpjjmaibqh.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe .2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\czifrparkxqpreldr.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe1⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exeC:\Users\Admin\AppData\Local\Temp\jjvvklztpfbdiyidunff.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wvgfttgzujefjyhbrja.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wvgfttgzujefjyhbrja.exe*."3⤵PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wvgfttgzujefjyhbrja.exe1⤵PID:4872
-
C:\Windows\wvgfttgzujefjyhbrja.exewvgfttgzujefjyhbrja.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:6068
-
C:\Windows\ljtredphbpjjmaibqh.exeljtredphbpjjmaibqh.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\ljtredphbpjjmaibqh.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:4572
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:2168
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe1⤵PID:3628
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yzmndfupmdadjalhztmna.exe .1⤵PID:3552
-
C:\Windows\yzmndfupmdadjalhztmna.exeyzmndfupmdadjalhztmna.exe .2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c czifrparkxqpreldr.exe .1⤵PID:1488
-
C:\Windows\czifrparkxqpreldr.execzifrparkxqpreldr.exe .2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrzvgdndvhzxykqh.exe1⤵PID:4368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:5052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe1⤵PID:4440
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yzmndfupmdadjalhztmna.exe .1⤵PID:4828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ljtredphbpjjmaibqh.exe .1⤵PID:4700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vrzvgdndvhzxykqh.exe1⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\czifrparkxqpreldr.exe1⤵PID:4856
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD59003fef1377fe55362ff3a44ec591901
SHA17523983bc90c93d0845c8743495488df638c4533
SHA256522f925f6f5747def9b66015cb82c2221d851580a4cea284ca68dd925c7ff97c
SHA51201059145bd682feafdad09b1ecd861ad492a8e088bc19dcc3aa6d81219184daf7061d036ade89675d54b0250bcd8b2421955c8101a9f14077f255de6711e94ea
-
Filesize
280B
MD57ff49839c2e68461789d2338423c0ba8
SHA15179eee7ca23b910b662b1c3e7dbfac8685aade7
SHA256b2354d3bceddead9cf2c46a00ac90b77770b9cd65c59e9923617befaee6a11fd
SHA512cc8ec4ed06cdfb36058c1da9a1ed2cac4d9c3745176bbc07c28c583d8e4f32b93fdb9bd978a667767b27e6360db1ebc7870ccaaa576875103bbe711dddfc4a88
-
Filesize
280B
MD5c629ec83b61e9e07d7c9655e792570e3
SHA1c6658e2a530f32dc3ea5f6a7648595f5a71f371b
SHA25657a7b484cdbcc30099edf4ab9fb783750c10dfbd2d951106cbb3d5fa53692a27
SHA512ae00e0a2efa600769b4558ece99ca287a53c30d5a05e17f562420aeb8cc7114153f0328595c4089cb6e716d54a6bfb606ab4af417837142cb46a8ee5c0689b5a
-
Filesize
280B
MD5f3c3dbd3356d66064077dc6fbdb55caa
SHA1bf308763058a90f2e523dfbbf9e8065c2cf83bec
SHA2567dca220d00f8164e53e38f98554eb6df8232213340afff7d63b6b9bac41bb97c
SHA51236681a1e12b018a93d92db6e20800ba34183c58b7b7edd0072efd5326ce37c77150562ba24b2489169869ed2aeb10ab42c95f39230d1280cdcb418dfbfe73b80
-
Filesize
280B
MD5286b64527b544a6ef7080b6c7f9bcb0e
SHA1d5e27b4bfd6045b6249e822db44257da74cd8193
SHA256aee3f1b34cb834167084eb712dba5c0f3babd866d6d6d989d20301fdcfc4f00f
SHA512054d0a5b149ae0e35facf23416bda565bf4ec4d502e0450957fee024a2427302295666e56d2a86c326c3a902f66dd0bc397654f219f6ce4aaabff67dd5cc13da
-
Filesize
280B
MD5b746b1ac229e6bcf7ae74e7ee681d9fc
SHA1f33cd3cb70bde9e9a81612aef5c0408d2e3e285d
SHA2565d4c00baebb6502514b823028986b2490239037f9c844fcd5520f6c4100d9eb1
SHA512d86c085e8115a0e5d6d88501e267401e43f114a4e179aa9c54fc9ddd09af944ccd36c8527e00da4551d8b9cf6bd03c23b52197ca4e96a0fadb080aa45c8841e4
-
Filesize
280B
MD530ba70477042a5170e69afc995f271c8
SHA1c254d2d5a64d71017950a3daf2fbecaa91175270
SHA256ff70e2696f9fb6debad9f6c3d30e823dfa5bef23e0e2ceb21152c6d38dc7647d
SHA51213c5b276525310593a8ec2e4582f535048f3252e91c537db590d8968eb21123865ba5a660af03116b67a09f6727a7eec089bb74db5a51a284c5aab29b70b36a4
-
Filesize
320KB
MD5cc52437b203166c0639cba4112374e15
SHA1c8d1342e85910208c67c7afd7fe9ff1059bc51ea
SHA256dfc5cbdd18d8f313cb7d214de1bd55391de535c0ad59d541f602c6666d040033
SHA512c7405cb4734bb13c0becf39574de8360b8ab74b909d3bb749e5d1be8751543e9e58eef056c53a45146c8a146e10d0ab0eb190572d9d28054248967cce8c03ee1
-
Filesize
708KB
MD55274272730fbe803779e09010b34550e
SHA16c41d16844fe78c362d72eaaabd6fa1ace1828de
SHA2563b73b53fc02463e76e85198758399cfc6488e199a305b4df2e6e3a2580cbc6b8
SHA51276847b500e4f77a2037e0bfc61b7cc076020bf4221cebafb335747a579d265978c25096ebdb21f9a83ff3c60b9e96f3a29ca3f72d84952f0e192f6de12438359
-
Filesize
280B
MD575cb4657e2515f60dd2e937db5313da7
SHA12541257ae165802eefe2895b80d8f65814f1e1fe
SHA25650368a991d06fd26b3b35b947b96c5673f0e9e119142c4acea7e1f020320f9ed
SHA512033332ecd53e4e5352ffdb69517ba06321b6216dbaa5394303d09a15cf844cbafe3b6768576a4e698dbf8a87bc2210d55b8a449668eff553a8cb90532235595a
-
Filesize
4KB
MD56ab58a710575eae83fd3d4c142fb4275
SHA1fc1066e31ba5aef18c9076c482d1c45f7b4cbf05
SHA2562e5711b1fbb11202e705d1048cf7e6214a58d9e911c4b1545a45e62b5f19c358
SHA51270958ee88c4633be1b7a5fc4b894ef305cba11e1d526071198a3648f491340457a926cafac25713007e6a31c614c3e91be1bc8f5b5421719395ba6b2aaf3de3e
-
Filesize
1020KB
MD5b00543b6e9ead74528eb07622f2f5c94
SHA136310f1caec808d700c5f8147ebb1b6f60aee09a
SHA256075f8ff04a2ce29d55c82f2fabfa76187e0933b6b154614b45d5c5fdd41ed2a3
SHA5127f2937a25b363b139839cf491e7e9e2097ab5d469b3d8486aa23782b816fc63a7bd43f522c0fab1780dd80db32a0d5c84df635851ceb1f7d64bffc84e294bd4b