Analysis
-
max time kernel
32s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2025, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe
-
Size
1016KB
-
MD5
accbd6960dd347c36571ba5642f84e23
-
SHA1
5b7c416ada72814560922010b317e8669003b3e5
-
SHA256
482f4d7695f48bda4cfbda875fa32859d0206b577a679fee45c42f8b2151a49d
-
SHA512
af2d46582af45ea98dc208306e9302b646f3102a30e7fe72dadebc8ed735ff4447e84dc0799ef9d0693e5d5b4c5223bba6e6cf2dd0b7c2f7102d8a0198dc301a
-
SSDEEP
12288:qpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsDu8wKF:qpUNr6YkVRFkgbeqeo68Fhq6upKF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe -
Pykspa family
-
UAC bypass 3 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000b000000024068-5.dat family_pykspa behavioral1/files/0x0010000000023f7d-127.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "alcqeurixmxmejxv.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzlvmwlvjqgn = "jdxpogdvrgetmirjlpfz.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzlvmwlvjqgn = "ctkzvketmytfvouji.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\clubpwipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpizxokbwkhvniqhila.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\clubpwipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvliytjdqmzqkrhhj.exe" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzlvmwlvjqgn = "wpizxokbwkhvniqhila.exe" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "odyqicdyrkzsoxprvqfa.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szmwgslyjubm = "dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlvcjsisa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe -
Disables RegEdit via registry modification 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wmicucltsvc\ImagePath = "C:\\Windows\\system32\\wmicuclt.exe" dtpibwyuoiyspzsvawmib.exe -
Checks computer location settings 2 TTPs 60 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation bpjarkkewocupxopsma.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation bpjarkkewocupxopsma.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation bpjarkkewocupxopsma.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tzjwwfytdjt.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation bpjarkkewocupxopsma.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation qdwmcutmduhyszpprk.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation bpjarkkewocupxopsma.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation htlapgewmcoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation dtpibwyuoiyspzsvawmib.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation odyqicdyrkzsoxprvqfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation alcqeurixmxmejxv.exe -
Executes dropped EXE 64 IoCs
pid Process 3324 tzjwwfytdjt.exe 4064 dtpibwyuoiyspzsvawmib.exe 4668 dtpibwyuoiyspzsvawmib.exe 4700 alcqeurixmxmejxv.exe 2976 tzjwwfytdjt.exe 4608 htlapgewmcoexdsrs.exe 4604 odyqicdyrkzsoxprvqfa.exe 1644 htlapgewmcoexdsrs.exe 3880 tzjwwfytdjt.exe 4928 htlapgewmcoexdsrs.exe 1032 htlapgewmcoexdsrs.exe 5052 tzjwwfytdjt.exe 1688 qdwmcutmduhyszpprk.exe 3740 tzjwwfytdjt.exe 3304 ddjmp.exe 4896 ddjmp.exe 2024 alcqeurixmxmejxv.exe 4632 dtpibwyuoiyspzsvawmib.exe 2952 ddjmp.exe 2268 bpjarkkewocupxopsma.exe 1644 tzjwwfytdjt.exe 2632 tzjwwfytdjt.exe 1504 qdwmcutmduhyszpprk.exe 4708 odyqicdyrkzsoxprvqfa.exe 2972 tzjwwfytdjt.exe 1316 dtpibwyuoiyspzsvawmib.exe 3048 tzjwwfytdjt.exe 4408 tzjwwfytdjt.exe 4468 dtpibwyuoiyspzsvawmib.exe 2184 qdwmcutmduhyszpprk.exe 2568 dtpibwyuoiyspzsvawmib.exe 1364 tzjwwfytdjt.exe 4376 htlapgewmcoexdsrs.exe 2652 odyqicdyrkzsoxprvqfa.exe 1220 qdwmcutmduhyszpprk.exe 2008 dtpibwyuoiyspzsvawmib.exe 4756 dtpibwyuoiyspzsvawmib.exe 3324 htlapgewmcoexdsrs.exe 2488 tzjwwfytdjt.exe 2712 dtpibwyuoiyspzsvawmib.exe 2296 odyqicdyrkzsoxprvqfa.exe 4020 qdwmcutmduhyszpprk.exe 2540 alcqeurixmxmejxv.exe 3816 qdwmcutmduhyszpprk.exe 1976 htlapgewmcoexdsrs.exe 1328 tzjwwfytdjt.exe 1528 tzjwwfytdjt.exe 3856 tzjwwfytdjt.exe 3448 dtpibwyuoiyspzsvawmib.exe 2536 htlapgewmcoexdsrs.exe 4800 tzjwwfytdjt.exe 1512 tzjwwfytdjt.exe 2956 tzjwwfytdjt.exe 4212 tzjwwfytdjt.exe 5024 tzjwwfytdjt.exe 2488 odyqicdyrkzsoxprvqfa.exe 3000 dtpibwyuoiyspzsvawmib.exe 4932 odyqicdyrkzsoxprvqfa.exe 3880 htlapgewmcoexdsrs.exe 736 dtpibwyuoiyspzsvawmib.exe 704 tzjwwfytdjt.exe 2684 alcqeurixmxmejxv.exe 4884 tzjwwfytdjt.exe 1040 tzjwwfytdjt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wmicucltsvc dtpibwyuoiyspzsvawmib.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wmicucltsvc\ = "Service" dtpibwyuoiyspzsvawmib.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wmicucltsvc ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ddjmp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ddjmp.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 21 208.67.222.123 4668 dtpibwyuoiyspzsvawmib.exe Destination IP 23 205.171.3.65 4668 dtpibwyuoiyspzsvawmib.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "qdwmcutmduhyszpprk.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "htlapgewmcoexdsrs.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "qdwmcutmduhyszpprk.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmvluirekz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytohhayroedtnkunqvmhc.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbqcocxmzmviyb = "alcqeurixmxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "htlapgewmcoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmvluirekz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvliytjdqmzqkrhhj.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "alcqeurixmxmejxv.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "odyqicdyrkzsoxprvqfa.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "bpjarkkewocupxopsma.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qbmvluirekz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxpogdvrgetmirjlpfz.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "odyqicdyrkzsoxprvqfa.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htlapgewmcoexdsrs.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alcqeurixmxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbqcocxmzmviyb = "htlapgewmcoexdsrs.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbpbugxjziajwm = "wpizxokbwkhvniqhila.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfpxmuhpbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbpkyrfxicncuzn.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "alcqeurixmxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "htlapgewmcoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfuhbogtkunxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlbpkyrfxicncuzn.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfpxmuhpbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkzvketmytfvouji.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mzmxpaqbqypxj = "vlbpkyrfxicncuzn.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vfpxmuhpbg = "ldvliytjdqmzqkrhhj.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htlapgewmcoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfvivkgwkyiwnre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfpxmuhpbg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldvliytjdqmzqkrhhj.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbqcocxmzmviyb = "dtpibwyuoiyspzsvawmib.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "htlapgewmcoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "odyqicdyrkzsoxprvqfa.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdwmcutmduhyszpprk.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "dtpibwyuoiyspzsvawmib.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "dtpibwyuoiyspzsvawmib.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbpbugxjziajwm = "ytohhayroedtnkunqvmhc.exe ." ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afqygqhsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpjarkkewocupxopsma.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rznyjwqeqckwl = "bpjarkkewocupxopsma.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sbqcocxmzmviyb = "dtpibwyuoiyspzsvawmib.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mzmxpaqbqypxj = "ytohhayroedtnkunqvmhc.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbpbugxjziajwm = "ldvliytjdqmzqkrhhj.exe ." ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtpibwyuoiyspzsvawmib.exe" ddjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\alcqeurixmxmejxv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odyqicdyrkzsoxprvqfa.exe" ddjmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vbnwfqiueou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alcqeurixmxmejxv.exe ." ddjmp.exe -
Checks for any installed AV software in registry 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService\Start = "4" dtpibwyuoiyspzsvawmib.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware dtpibwyuoiyspzsvawmib.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware\Start = "4" dtpibwyuoiyspzsvawmib.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus dtpibwyuoiyspzsvawmib.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus\Start = "4" dtpibwyuoiyspzsvawmib.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService dtpibwyuoiyspzsvawmib.exe -
Checks whether UAC is enabled 1 TTPs 24 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddjmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\X: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\Y: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\Q: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\R: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\U: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\W: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\Z: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\P: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\I: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\K: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\O: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\S: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\T: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\E: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\H: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\L: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\V: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\B: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\G: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\J: dtpibwyuoiyspzsvawmib.exe File opened (read-only) \??\M: dtpibwyuoiyspzsvawmib.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ddjmp.exe -
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 www.showmyipaddress.com 32 www.whatismyip.ca 48 whatismyip.everdot.org 52 www.whatismyip.ca 11 www.whatismyip.ca 34 whatismyip.everdot.org 41 www.whatismyip.ca 42 whatismyip.everdot.org 54 whatismyip.everdot.org 12 whatismyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File created C:\Windows\SysWOW64\wmicuclt.exe dtpibwyuoiyspzsvawmib.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe ddjmp.exe File created C:\Windows\SysWOW64\szmwgslyjubmablfboviscohufqxiwxhbx.reo ddjmp.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe ddjmp.exe File created C:\Windows\SysWOW64\fbdcbckmmmiilbajuwsutst.ddd ddjmp.exe File opened for modification C:\Windows\SysWOW64\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wmicuclt.exe dtpibwyuoiyspzsvawmib.exe File opened for modification C:\Windows\SysWOW64\ulicwsvsnizusdxbhevsmg.exe ddjmp.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\qdwmcutmduhyszpprk.exe ddjmp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\szmwgslyjubmablfboviscohufqxiwxhbx.reo ddjmp.exe File created C:\Program Files (x86)\szmwgslyjubmablfboviscohufqxiwxhbx.reo ddjmp.exe File opened for modification C:\Program Files (x86)\fbdcbckmmmiilbajuwsutst.ddd ddjmp.exe File created C:\Program Files (x86)\fbdcbckmmmiilbajuwsutst.ddd ddjmp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe ddjmp.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe ddjmp.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe ddjmp.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe ddjmp.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe ddjmp.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe ddjmp.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File created C:\Windows\szmwgslyjubmablfboviscohufqxiwxhbx.reo ddjmp.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe ddjmp.exe File opened for modification C:\Windows\fbdcbckmmmiilbajuwsutst.ddd ddjmp.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File created C:\Windows\fbdcbckmmmiilbajuwsutst.ddd ddjmp.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe ddjmp.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\szmwgslyjubmablfboviscohufqxiwxhbx.reo ddjmp.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\dtpibwyuoiyspzsvawmib.exe tzjwwfytdjt.exe File opened for modification C:\Windows\htlapgewmcoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\bpjarkkewocupxopsma.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\qdwmcutmduhyszpprk.exe ddjmp.exe File opened for modification C:\Windows\alcqeurixmxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\odyqicdyrkzsoxprvqfa.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ulicwsvsnizusdxbhevsmg.exe tzjwwfytdjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctkzvketmytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpizxokbwkhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdxpogdvrgetmirjlpfz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytohhayroedtnkunqvmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpjarkkewocupxopsma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpjarkkewocupxopsma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpizxokbwkhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytohhayroedtnkunqvmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpjarkkewocupxopsma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlbpkyrfxicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldvliytjdqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdxpogdvrgetmirjlpfz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpizxokbwkhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpizxokbwkhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tzjwwfytdjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlbpkyrfxicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpjarkkewocupxopsma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlapgewmcoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctkzvketmytfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldvliytjdqmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytohhayroedtnkunqvmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlbpkyrfxicncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtpibwyuoiyspzsvawmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qdwmcutmduhyszpprk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odyqicdyrkzsoxprvqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alcqeurixmxmejxv.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3304 ddjmp.exe 3304 ddjmp.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe Token: SeDebugPrivilege 4064 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4668 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4700 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 4608 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 4604 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 1644 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 4928 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 1032 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 1688 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 4228 ldvliytjdqmzqkrhhj.exe Token: SeDebugPrivilege 2024 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 4632 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4048 wpizxokbwkhvniqhila.exe Token: SeDebugPrivilege 2268 bpjarkkewocupxopsma.exe Token: SeDebugPrivilege 3456 ctkzvketmytfvouji.exe Token: SeDebugPrivilege 1504 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 1512 wpizxokbwkhvniqhila.exe Token: SeDebugPrivilege 4708 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 3240 ytohhayroedtnkunqvmhc.exe Token: SeDebugPrivilege 3304 ddjmp.exe Token: SeDebugPrivilege 2192 wpizxokbwkhvniqhila.exe Token: SeDebugPrivilege 1316 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4588 vlbpkyrfxicncuzn.exe Token: SeDebugPrivilege 2184 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 4468 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 2568 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4376 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 2652 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 4156 jdxpogdvrgetmirjlpfz.exe Token: SeDebugPrivilege 1220 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 4756 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 2008 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 3324 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 2296 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 2540 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 4020 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 3816 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 2712 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 1976 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 3448 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 2536 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 2488 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 3000 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 4932 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 3880 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 736 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 2684 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 2560 wpizxokbwkhvniqhila.exe Token: SeDebugPrivilege 4556 ytohhayroedtnkunqvmhc.exe Token: SeDebugPrivilege 2552 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 2956 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 3940 ytohhayroedtnkunqvmhc.exe Token: SeDebugPrivilege 2932 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 3000 htlapgewmcoexdsrs.exe Token: SeDebugPrivilege 2180 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 4236 alcqeurixmxmejxv.exe Token: SeDebugPrivilege 724 qdwmcutmduhyszpprk.exe Token: SeDebugPrivilege 704 ytohhayroedtnkunqvmhc.exe Token: SeDebugPrivilege 3384 vlbpkyrfxicncuzn.exe Token: SeDebugPrivilege 2432 vlbpkyrfxicncuzn.exe Token: SeDebugPrivilege 2180 odyqicdyrkzsoxprvqfa.exe Token: SeDebugPrivilege 2392 dtpibwyuoiyspzsvawmib.exe Token: SeDebugPrivilege 5084 ytohhayroedtnkunqvmhc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3540 wrote to memory of 3324 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 86 PID 3540 wrote to memory of 3324 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 86 PID 3540 wrote to memory of 3324 3540 JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe 86 PID 3764 wrote to memory of 4064 3764 cmd.exe 89 PID 3764 wrote to memory of 4064 3764 cmd.exe 89 PID 3764 wrote to memory of 4064 3764 cmd.exe 89 PID 4064 wrote to memory of 4668 4064 dtpibwyuoiyspzsvawmib.exe 90 PID 4064 wrote to memory of 4668 4064 dtpibwyuoiyspzsvawmib.exe 90 PID 4064 wrote to memory of 4668 4064 dtpibwyuoiyspzsvawmib.exe 90 PID 1064 wrote to memory of 4700 1064 cmd.exe 93 PID 1064 wrote to memory of 4700 1064 cmd.exe 93 PID 1064 wrote to memory of 4700 1064 cmd.exe 93 PID 4700 wrote to memory of 2976 4700 alcqeurixmxmejxv.exe 98 PID 4700 wrote to memory of 2976 4700 alcqeurixmxmejxv.exe 98 PID 4700 wrote to memory of 2976 4700 alcqeurixmxmejxv.exe 98 PID 808 wrote to memory of 4608 808 cmd.exe 99 PID 808 wrote to memory of 4608 808 cmd.exe 99 PID 808 wrote to memory of 4608 808 cmd.exe 99 PID 3856 wrote to memory of 4604 3856 cmd.exe 102 PID 3856 wrote to memory of 4604 3856 cmd.exe 102 PID 3856 wrote to memory of 4604 3856 cmd.exe 102 PID 1628 wrote to memory of 1644 1628 cmd.exe 146 PID 1628 wrote to memory of 1644 1628 cmd.exe 146 PID 1628 wrote to memory of 1644 1628 cmd.exe 146 PID 4604 wrote to memory of 3880 4604 odyqicdyrkzsoxprvqfa.exe 242 PID 4604 wrote to memory of 3880 4604 odyqicdyrkzsoxprvqfa.exe 242 PID 4604 wrote to memory of 3880 4604 odyqicdyrkzsoxprvqfa.exe 242 PID 4852 wrote to memory of 4928 4852 cmd.exe 107 PID 4852 wrote to memory of 4928 4852 cmd.exe 107 PID 4852 wrote to memory of 4928 4852 cmd.exe 107 PID 552 wrote to memory of 1032 552 cmd.exe 112 PID 552 wrote to memory of 1032 552 cmd.exe 112 PID 552 wrote to memory of 1032 552 cmd.exe 112 PID 4928 wrote to memory of 5052 4928 htlapgewmcoexdsrs.exe 113 PID 4928 wrote to memory of 5052 4928 htlapgewmcoexdsrs.exe 113 PID 4928 wrote to memory of 5052 4928 htlapgewmcoexdsrs.exe 113 PID 3068 wrote to memory of 1688 3068 cmd.exe 269 PID 3068 wrote to memory of 1688 3068 cmd.exe 269 PID 3068 wrote to memory of 1688 3068 cmd.exe 269 PID 1688 wrote to memory of 3740 1688 qdwmcutmduhyszpprk.exe 218 PID 1688 wrote to memory of 3740 1688 qdwmcutmduhyszpprk.exe 218 PID 1688 wrote to memory of 3740 1688 qdwmcutmduhyszpprk.exe 218 PID 3324 wrote to memory of 3304 3324 tzjwwfytdjt.exe 116 PID 3324 wrote to memory of 3304 3324 tzjwwfytdjt.exe 116 PID 3324 wrote to memory of 3304 3324 tzjwwfytdjt.exe 116 PID 3324 wrote to memory of 4896 3324 tzjwwfytdjt.exe 117 PID 3324 wrote to memory of 4896 3324 tzjwwfytdjt.exe 117 PID 3324 wrote to memory of 4896 3324 tzjwwfytdjt.exe 117 PID 3440 wrote to memory of 4228 3440 cmd.exe 122 PID 3440 wrote to memory of 4228 3440 cmd.exe 122 PID 3440 wrote to memory of 4228 3440 cmd.exe 122 PID 4704 wrote to memory of 2024 4704 cmd.exe 283 PID 4704 wrote to memory of 2024 4704 cmd.exe 283 PID 4704 wrote to memory of 2024 4704 cmd.exe 283 PID 2432 wrote to memory of 4632 2432 cmd.exe 128 PID 2432 wrote to memory of 4632 2432 cmd.exe 128 PID 2432 wrote to memory of 4632 2432 cmd.exe 128 PID 2420 wrote to memory of 4048 2420 cmd.exe 131 PID 2420 wrote to memory of 4048 2420 cmd.exe 131 PID 2420 wrote to memory of 4048 2420 cmd.exe 131 PID 3324 wrote to memory of 2952 3324 tzjwwfytdjt.exe 139 PID 3324 wrote to memory of 2952 3324 tzjwwfytdjt.exe 139 PID 3324 wrote to memory of 2952 3324 tzjwwfytdjt.exe 139 PID 1608 wrote to memory of 2268 1608 cmd.exe 141 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ddjmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ddjmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_accbd6960dd347c36571ba5642f84e23.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\ddjmp.exe"C:\Users\Admin\AppData\Local\Temp\ddjmp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3304
-
-
C:\Users\Admin\AppData\Local\Temp\ddjmp.exe"C:\Users\Admin\AppData\Local\Temp\ddjmp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3444
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4048
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3388
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:1332
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3892
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"4⤵PID:244
-
-
-
C:\Users\Admin\AppData\Local\Temp\ddjmp.exe"C:\Users\Admin\AppData\Local\Temp\ddjmp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_accbd6960dd347c36571ba5642f84e23.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\dtpibwyuoiyspzsvawmib.exe"C:\Windows\dtpibwyuoiyspzsvawmib.exe" /ppiftsvc3⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Unexpected DNS network traffic destination
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵
- Executes dropped EXE
PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵
- Executes dropped EXE
PID:5052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵
- Executes dropped EXE
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Executes dropped EXE
PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpizxokbwkhvniqhila.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\wpizxokbwkhvniqhila.exewpizxokbwkhvniqhila.exe .2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wpizxokbwkhvniqhila.exe*."3⤵
- Executes dropped EXE
PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe1⤵PID:1108
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:3684
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵
- Executes dropped EXE
PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpizxokbwkhvniqhila.exe .1⤵PID:836
-
C:\Windows\wpizxokbwkhvniqhila.exewpizxokbwkhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wpizxokbwkhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Executes dropped EXE
PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe1⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wpizxokbwkhvniqhila.exe*."3⤵
- Executes dropped EXE
PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:392
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Executes dropped EXE
PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jdxpogdvrgetmirjlpfz.exe*."3⤵
- Executes dropped EXE
PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:4852
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵
- Executes dropped EXE
PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:3384
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:4872
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:1940
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵
- Executes dropped EXE
PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:1464
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Executes dropped EXE
PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3496
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵
- Executes dropped EXE
PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2600
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Executes dropped EXE
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵
- Executes dropped EXE
PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵
- Executes dropped EXE
PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:744
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:3740
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵
- Executes dropped EXE
PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:3784
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:3004
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵
- Executes dropped EXE
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:2340
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe1⤵PID:5048
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:4064
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:3468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpizxokbwkhvniqhila.exe .1⤵PID:2008
-
C:\Windows\wpizxokbwkhvniqhila.exewpizxokbwkhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wpizxokbwkhvniqhila.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:3448
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe1⤵PID:4032
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:548
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:4976
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:704 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:724 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .1⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vlbpkyrfxicncuzn.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:3404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exe1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exeC:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exe2⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:2600
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ytohhayroedtnkunqvmhc.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:392
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:444
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:3344
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:1428
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
PID:880 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2568
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:2560
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:4452
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:3308
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:1880
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:1936
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:2876
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵
- Checks computer location settings
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:2432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵
- Checks computer location settings
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:1724
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:3004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:5048
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:244
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:708
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:460 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:1672
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:4952
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1664
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:3128
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:68
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:116
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:2256
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1428
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1504
-
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:2536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:3908
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:4528
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:1140
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:1036
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:3128
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdxpogdvrgetmirjlpfz.exe1⤵PID:3712
-
C:\Windows\jdxpogdvrgetmirjlpfz.exejdxpogdvrgetmirjlpfz.exe2⤵
- System Location Discovery: System Language Discovery
PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:4696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2568
-
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe .1⤵PID:448
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ldvliytjdqmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:3212
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:1964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe1⤵PID:3512
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe2⤵
- System Location Discovery: System Language Discovery
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:3092
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe .1⤵PID:1216
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe .2⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ldvliytjdqmzqkrhhj.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵
- Checks computer location settings
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wpizxokbwkhvniqhila.exe*."3⤵PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe1⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe2⤵PID:1680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ldvliytjdqmzqkrhhj.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:4092
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:1256
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:2172
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:2988
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:1724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:4832
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4524
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1584
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:2116
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4092
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:3856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:2600
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:2420
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:4696
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4800
-
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:2288
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:1612
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4888
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:1692
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1512
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:2508
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3004
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:1988
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:3944
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:4320
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:448
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:1836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3384
-
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:3328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:460
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:3240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:4872
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:2220
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:2968
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:3944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:4504
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe1⤵PID:2460
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:636
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe .1⤵PID:2692
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ldvliytjdqmzqkrhhj.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:4448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:736
-
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe1⤵PID:3076
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:724
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:3880
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpizxokbwkhvniqhila.exe .1⤵PID:4832
-
C:\Windows\wpizxokbwkhvniqhila.exewpizxokbwkhvniqhila.exe .2⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wpizxokbwkhvniqhila.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe1⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:512
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .1⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .2⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vlbpkyrfxicncuzn.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:1768
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:3428
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe1⤵PID:708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ldvliytjdqmzqkrhhj.exe*."3⤵PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:2956
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:448
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:632
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:3496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:1220
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:4920
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:4420
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:1108
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:512
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:1352
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:4904
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:3036
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:3444
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:1880
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:1688
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4768
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4928
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:3512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:2040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:544
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:1852
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:392
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:3444
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe2⤵PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4888
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:2540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2432
-
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:2928
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1620
-
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe .2⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\bpjarkkewocupxopsma.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:1852
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:3892
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe1⤵PID:1032
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:528
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3128
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:208
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:4800
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:5032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4408
-
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe1⤵PID:4176
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:1256
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jdxpogdvrgetmirjlpfz.exe .1⤵PID:1660
-
C:\Windows\jdxpogdvrgetmirjlpfz.exejdxpogdvrgetmirjlpfz.exe .2⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jdxpogdvrgetmirjlpfz.exe*."3⤵PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2752
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .2⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jdxpogdvrgetmirjlpfz.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe .2⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jdxpogdvrgetmirjlpfz.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:2256
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4448
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:1452
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:2600
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:2968
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2976
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:1280
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4696
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:2488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:3680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:4016
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:4504
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:2712
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:1504
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:4980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:3324
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:4948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4400
-
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:1512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3960
-
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe .1⤵PID:3616
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe .2⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\bpjarkkewocupxopsma.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1608
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:2056
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:4080
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:3908
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\qdwmcutmduhyszpprk.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe1⤵PID:116
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2680
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe1⤵PID:1180
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:4316
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:1548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1608
-
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:4224
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:2964
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:1040
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpizxokbwkhvniqhila.exe1⤵PID:2612
-
C:\Windows\wpizxokbwkhvniqhila.exewpizxokbwkhvniqhila.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3564
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe .1⤵PID:1856
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe .2⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ldvliytjdqmzqkrhhj.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:1836
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe1⤵PID:4428
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe2⤵PID:1052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3456
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe .1⤵PID:968
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe .2⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ctkzvketmytfvouji.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe .1⤵PID:2192
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\alcqeurixmxmejxv.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe1⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ytohhayroedtnkunqvmhc.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe2⤵PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .1⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .2⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ldvliytjdqmzqkrhhj.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4064
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:4380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4152
-
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:5016
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:1504
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exeC:\Users\Admin\AppData\Local\Temp\bpjarkkewocupxopsma.exe2⤵PID:3544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .1⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exeC:\Users\Admin\AppData\Local\Temp\alcqeurixmxmejxv.exe .2⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\alcqeurixmxmejxv.exe*."3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe1⤵PID:4556
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe1⤵PID:4028
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dtpibwyuoiyspzsvawmib.exe .1⤵PID:2632
-
C:\Windows\dtpibwyuoiyspzsvawmib.exedtpibwyuoiyspzsvawmib.exe .2⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c odyqicdyrkzsoxprvqfa.exe .1⤵PID:704
-
C:\Windows\odyqicdyrkzsoxprvqfa.exeodyqicdyrkzsoxprvqfa.exe .2⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c alcqeurixmxmejxv.exe1⤵PID:3940
-
C:\Windows\alcqeurixmxmejxv.exealcqeurixmxmejxv.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c htlapgewmcoexdsrs.exe .1⤵PID:3128
-
C:\Windows\htlapgewmcoexdsrs.exehtlapgewmcoexdsrs.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\htlapgewmcoexdsrs.exe*."3⤵PID:620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bpjarkkewocupxopsma.exe1⤵PID:1256
-
C:\Windows\bpjarkkewocupxopsma.exebpjarkkewocupxopsma.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qdwmcutmduhyszpprk.exe .1⤵PID:3344
-
C:\Windows\qdwmcutmduhyszpprk.exeqdwmcutmduhyszpprk.exe .2⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\qdwmcutmduhyszpprk.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:3132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exeC:\Users\Admin\AppData\Local\Temp\odyqicdyrkzsoxprvqfa.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\odyqicdyrkzsoxprvqfa.exe*."3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exeC:\Users\Admin\AppData\Local\Temp\qdwmcutmduhyszpprk.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\htlapgewmcoexdsrs.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\htlapgewmcoexdsrs.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exeC:\Users\Admin\AppData\Local\Temp\dtpibwyuoiyspzsvawmib.exe .2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\dtpibwyuoiyspzsvawmib.exe*."3⤵PID:4680
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5824e81cfed595f7bbd5bab63e5381f23
SHA15057e8e57ecda1a05314ae5a566e61af6b77bf28
SHA256f4a3df4c1d78b42ad2d6ce99b57b4f015ca59d15ca64db6b1c765d3c56dadf4b
SHA51266d657543f57727ee67be1080da48ce518669aef28ecddfeaba603adfa74027a4a743463eb002cc76e5d6976dcb4e3ab0ce4c3532bbd65cbf904b372f9341489
-
Filesize
280B
MD5720672794981dd5ba2ee62529c643d04
SHA1b8412bfcfc468103830aea1f0ccb1f15465a3e33
SHA256cf434b5176353da5f968ff7d7ae4e7f2e6bf83fb28da3980f07c65b720bf89f0
SHA512186f37143ef39245f9af646a1d278f5bb540fe5d385a75e71fb61f8c81dd5e9e7fb9739fddd9ad3bf10505e6682e0c046535d834760777a2f107a2bdd6026224
-
Filesize
280B
MD5fbbb1edb679f3013c69cd30e91671d44
SHA18fc393a62817f6e380810b5d2347c957f680f9a4
SHA2562d4af5a72dbb571b083fdc7ed305c6d9671e54562203126321d7608f89357af4
SHA512a0034159dac9ba08b9337fb29763fbfff7bad3a3de8a91727b7e3ff16b15bf92ee12089a2c19af4114bb11bea3a70894ff9110b3458ae02815041ce569e6633e
-
Filesize
280B
MD5ae92887f5fa9ee898a36824263b13e2a
SHA14c23012a8775a883d729073298207ef1344b5c3d
SHA256e86474c3d985d69a802ad89bed42833e428ade4c362a908034a54eb40b0ffbea
SHA5128247836537ebb0781ae0a85f39fee91aa90c422c2082e31df7529815261d555c6c3807b78d9e06fe1466a74dd53c30b457b0cc4c6071b4d63037918f720f0b2b
-
Filesize
280B
MD591aae462af5abc6f7f9a24cda4d61d95
SHA18e65766065fae4ddc978663b4cf50e8b146b3f48
SHA25670bc0b514e2c74696d8eb6915a2f63cda0f0a1770b718a6cebc12c5f73444121
SHA5127f76bf4360fdf98b9d5ce41b897be9a8cdf1eedb816cf2aa826cc3bcf3bda1c670d80e2e1615f02f7e00352d8b534b6adfe5dd28304cf7e674d1ff7aa8974028
-
Filesize
716KB
MD5140b4dd8817a24d153f34c58aba90e9d
SHA1353665192ea40878c2197808de1f79133b31a8f2
SHA25628b47f2bb735214234c54f70d09155aebcfc2711108dd1cea0c928564ecb31b5
SHA512ae5e9a951813cbe3476bca89e7458e1658f6564ddde7d85bbcec364b711fb9da90bc753981cc4515b5f0936bfce769ca2da9378de3a00ea20c2e45c0591bbfef
-
Filesize
320KB
MD52957c503826ce4d16bd75bf96b74d0d1
SHA1767cc2e71da9d6c6b3b3e5b9311c075405d98f4b
SHA2568d95669dc11c82c766b4e909ba7549df850e5f9b4be4b0927ca0027cfe31d53d
SHA5129869fa5e8376e168e06bbee7f9096375a140f02ce963f9b53df4383561e80e298da270feb52d5b61c8d4b33ef1136448bb05dea0449f1c06416d67cd758e9156
-
Filesize
280B
MD55b703739bef763f53658efe8002a482a
SHA1302a6916de227d6dfdfeb126cf086482e9b63770
SHA25682dca3453ac17887bfb12fadafa3bc22e81bc34267e60f718aac6cf70b319d64
SHA512bd8905209b0bf9f5d4fa8e3704a743075d17351555e7c2898cd15ffe3542b808e1332c3b3cd60e028a535b16e61b215ce42a35e2443762a8932c12cb5fcdd8d8
-
Filesize
4KB
MD53652bee6c98975a78814ca88c668b204
SHA102f12577b111087b2a3dc206d1590257fe1dc514
SHA25672f22d981f8cc244b929e90d5affe72452d3a2d14c27f37a1429240e56a90cf0
SHA51205866ab51648a38010c92961b66ba2c653f30150b45aa9c678a6d3c3306dc1045173ac40cf478c841aed2633e48e645f6a060c0a7ed9ebd1bcde30e7767df394
-
Filesize
1016KB
MD5accbd6960dd347c36571ba5642f84e23
SHA15b7c416ada72814560922010b317e8669003b3e5
SHA256482f4d7695f48bda4cfbda875fa32859d0206b577a679fee45c42f8b2151a49d
SHA512af2d46582af45ea98dc208306e9302b646f3102a30e7fe72dadebc8ed735ff4447e84dc0799ef9d0693e5d5b4c5223bba6e6cf2dd0b7c2f7102d8a0198dc301a
-
Filesize
190KB
MD5f52cebc7dec157c7c6a65f2720bfc26d
SHA1f2ee2bf37b38be0821d990043f68878a9b9b093b
SHA256057bbbea6faa46add5d7e65d6a053b6e55047afbece3e1f4caecc1dd7a46a9ad
SHA512a0a051ecf4f56104d61a0e1df002ec22d4330a4e27efcc79d3a812e311a6b5837c168cfb2b9569a55cf0658e3ab9bf9ba11b0b8bd9d006bd749ec9ee70190fa9