Analysis
-
max time kernel
46s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2025, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe
-
Size
1016KB
-
MD5
acd201e3179f1bea3176625e53ae74a0
-
SHA1
16aba416493d24d4fcc7f94133da3a3bc328016c
-
SHA256
5362c09319c951bf520453f62ce8e2b521322aaed60b929fe2cb4f11085d0250
-
SHA512
f3234c90de201c62cb1ec4f101cc017289960916a98452a65500cadc3ec181a01a200381660e5789b99673d6db827fa6cfa96fe812e7540c88b01e59662a99ba
-
SSDEEP
6144:8IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:8IXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe -
Pykspa family
-
UAC bypass 3 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00050000000227be-4.dat family_pykspa behavioral1/files/0x000b00000002415c-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "dzlodaxnnebzcnauiqrnz.exe" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvfgtojxvkfbclwoagf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "dzlodaxnnebzcnauiqrnz.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "hzhgrkdplyrlkraqa.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "arywgyqbwiatrxfu.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvfgtojxvkfbclwoagf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "bvfgtojxvkfbclwoagf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\almeiuglag = "dzlodaxnnebzcnauiqrnz.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjhwxgp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 187 5116 Process not Found 188 5116 Process not Found 189 5116 Process not Found 192 5116 Process not Found -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhwxgp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhwxgp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation rfyzcmqobpi.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ojuwkgcrqgczblxqdkkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation bvfgtojxvkfbclwoagf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hzhgrkdplyrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation dzlodaxnnebzcnauiqrnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation qjsseysfcqkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation arywgyqbwiatrxfu.exe -
Executes dropped EXE 64 IoCs
pid Process 5884 rfyzcmqobpi.exe 696 qjsseysfcqkffnxoze.exe 4980 qjsseysfcqkffnxoze.exe 1188 rfyzcmqobpi.exe 2200 hzhgrkdplyrlkraqa.exe 1940 dzlodaxnnebzcnauiqrnz.exe 4436 qjsseysfcqkffnxoze.exe 4172 arywgyqbwiatrxfu.exe 848 rfyzcmqobpi.exe 1484 rfyzcmqobpi.exe 4024 ojuwkgcrqgczblxqdkkf.exe 3552 hzhgrkdplyrlkraqa.exe 3404 rfyzcmqobpi.exe 1504 bjhwxgp.exe 6012 bjhwxgp.exe 4632 dzlodaxnnebzcnauiqrnz.exe 2484 hzhgrkdplyrlkraqa.exe 3408 hzhgrkdplyrlkraqa.exe 3136 qjsseysfcqkffnxoze.exe 4496 rfyzcmqobpi.exe 4428 bvfgtojxvkfbclwoagf.exe 4668 hzhgrkdplyrlkraqa.exe 4784 rfyzcmqobpi.exe 4964 qjsseysfcqkffnxoze.exe 4832 ojuwkgcrqgczblxqdkkf.exe 4988 qjsseysfcqkffnxoze.exe 5600 rfyzcmqobpi.exe 2680 ojuwkgcrqgczblxqdkkf.exe 5228 dzlodaxnnebzcnauiqrnz.exe 2908 bvfgtojxvkfbclwoagf.exe 3956 rfyzcmqobpi.exe 6048 dzlodaxnnebzcnauiqrnz.exe 5768 dzlodaxnnebzcnauiqrnz.exe 6132 arywgyqbwiatrxfu.exe 2628 rfyzcmqobpi.exe 5904 qjsseysfcqkffnxoze.exe 3272 ojuwkgcrqgczblxqdkkf.exe 1008 rfyzcmqobpi.exe 3228 ojuwkgcrqgczblxqdkkf.exe 6004 rfyzcmqobpi.exe 3636 rfyzcmqobpi.exe 6076 rfyzcmqobpi.exe 4356 bvfgtojxvkfbclwoagf.exe 5844 arywgyqbwiatrxfu.exe 6028 dzlodaxnnebzcnauiqrnz.exe 1688 bvfgtojxvkfbclwoagf.exe 5432 rfyzcmqobpi.exe 3192 rfyzcmqobpi.exe 3792 hzhgrkdplyrlkraqa.exe 4376 ojuwkgcrqgczblxqdkkf.exe 4068 rfyzcmqobpi.exe 2168 arywgyqbwiatrxfu.exe 3484 hzhgrkdplyrlkraqa.exe 5028 rfyzcmqobpi.exe 4416 hzhgrkdplyrlkraqa.exe 1144 qjsseysfcqkffnxoze.exe 4032 arywgyqbwiatrxfu.exe 5556 dzlodaxnnebzcnauiqrnz.exe 2588 qjsseysfcqkffnxoze.exe 5016 rfyzcmqobpi.exe 1040 qjsseysfcqkffnxoze.exe 4328 bvfgtojxvkfbclwoagf.exe 5532 dzlodaxnnebzcnauiqrnz.exe 5712 rfyzcmqobpi.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bjhwxgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bjhwxgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bjhwxgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bjhwxgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bjhwxgp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bjhwxgp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "ojuwkgcrqgczblxqdkkf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "dzlodaxnnebzcnauiqrnz.exe" bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "dzlodaxnnebzcnauiqrnz.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "arywgyqbwiatrxfu.exe ." bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "dzlodaxnnebzcnauiqrnz.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "qjsseysfcqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "arywgyqbwiatrxfu.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "bvfgtojxvkfbclwoagf.exe" bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "hzhgrkdplyrlkraqa.exe ." bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "ojuwkgcrqgczblxqdkkf.exe ." bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "qjsseysfcqkffnxoze.exe" bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "qjsseysfcqkffnxoze.exe" bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." bjhwxgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "arywgyqbwiatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sficiwkriqet = "bvfgtojxvkfbclwoagf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojuwkgcrqgczblxqdkkf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shmiqgwfyiyplp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe" bjhwxgp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjsseysfcqkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "qjsseysfcqkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfjelapxpyndy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arywgyqbwiatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hrrilwhlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzhgrkdplyrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzlodaxnnebzcnauiqrnz.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhjchuhndkx = "hzhgrkdplyrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzyoqakn = "bvfgtojxvkfbclwoagf.exe" rfyzcmqobpi.exe -
Checks whether UAC is enabled 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bjhwxgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bjhwxgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bjhwxgp.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 47 www.showmyipaddress.com 50 whatismyip.everdot.org 52 www.whatismyip.ca 54 whatismyip.everdot.org 55 www.whatismyip.ca 30 whatismyipaddress.com 35 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe bjhwxgp.exe File opened for modification C:\Windows\SysWOW64\ileokospwuydnfzavksvoyuy.zge bjhwxgp.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe bjhwxgp.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe bjhwxgp.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe bjhwxgp.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\dzlodaxnnebzcnauiqrnz.exe bjhwxgp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\rfjelapxpyndybgsyyrfjelapxpyndybgsy.rfj bjhwxgp.exe File opened for modification C:\Program Files (x86)\ileokospwuydnfzavksvoyuy.zge bjhwxgp.exe File created C:\Program Files (x86)\ileokospwuydnfzavksvoyuy.zge bjhwxgp.exe File opened for modification C:\Program Files (x86)\rfjelapxpyndybgsyyrfjelapxpyndybgsy.rfj bjhwxgp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File created C:\Windows\rfjelapxpyndybgsyyrfjelapxpyndybgsy.rfj bjhwxgp.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe bjhwxgp.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File created C:\Windows\ileokospwuydnfzavksvoyuy.zge bjhwxgp.exe File opened for modification C:\Windows\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ureiywulmecbfrfapyaxko.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ojuwkgcrqgczblxqdkkf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\qjsseysfcqkffnxoze.exe bjhwxgp.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hzhgrkdplyrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\dzlodaxnnebzcnauiqrnz.exe rfyzcmqobpi.exe File opened for modification C:\Windows\arywgyqbwiatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\bvfgtojxvkfbclwoagf.exe rfyzcmqobpi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfyzcmqobpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzlodaxnnebzcnauiqrnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfgtojxvkfbclwoagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjsseysfcqkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hzhgrkdplyrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojuwkgcrqgczblxqdkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arywgyqbwiatrxfu.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 1504 bjhwxgp.exe 1504 bjhwxgp.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 1504 bjhwxgp.exe 1504 bjhwxgp.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1504 bjhwxgp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5860 wrote to memory of 5884 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 89 PID 5860 wrote to memory of 5884 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 89 PID 5860 wrote to memory of 5884 5860 JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe 89 PID 3400 wrote to memory of 696 3400 cmd.exe 93 PID 3400 wrote to memory of 696 3400 cmd.exe 93 PID 3400 wrote to memory of 696 3400 cmd.exe 93 PID 5092 wrote to memory of 4980 5092 cmd.exe 96 PID 5092 wrote to memory of 4980 5092 cmd.exe 96 PID 5092 wrote to memory of 4980 5092 cmd.exe 96 PID 4980 wrote to memory of 1188 4980 qjsseysfcqkffnxoze.exe 99 PID 4980 wrote to memory of 1188 4980 qjsseysfcqkffnxoze.exe 99 PID 4980 wrote to memory of 1188 4980 qjsseysfcqkffnxoze.exe 99 PID 4840 wrote to memory of 2200 4840 cmd.exe 102 PID 4840 wrote to memory of 2200 4840 cmd.exe 102 PID 4840 wrote to memory of 2200 4840 cmd.exe 102 PID 2668 wrote to memory of 1940 2668 cmd.exe 105 PID 2668 wrote to memory of 1940 2668 cmd.exe 105 PID 2668 wrote to memory of 1940 2668 cmd.exe 105 PID 5936 wrote to memory of 4436 5936 cmd.exe 108 PID 5936 wrote to memory of 4436 5936 cmd.exe 108 PID 5936 wrote to memory of 4436 5936 cmd.exe 108 PID 3844 wrote to memory of 4172 3844 cmd.exe 109 PID 3844 wrote to memory of 4172 3844 cmd.exe 109 PID 3844 wrote to memory of 4172 3844 cmd.exe 109 PID 1940 wrote to memory of 848 1940 dzlodaxnnebzcnauiqrnz.exe 110 PID 1940 wrote to memory of 848 1940 dzlodaxnnebzcnauiqrnz.exe 110 PID 1940 wrote to memory of 848 1940 dzlodaxnnebzcnauiqrnz.exe 110 PID 4172 wrote to memory of 1484 4172 arywgyqbwiatrxfu.exe 113 PID 4172 wrote to memory of 1484 4172 arywgyqbwiatrxfu.exe 113 PID 4172 wrote to memory of 1484 4172 arywgyqbwiatrxfu.exe 113 PID 4552 wrote to memory of 4024 4552 cmd.exe 116 PID 4552 wrote to memory of 4024 4552 cmd.exe 116 PID 4552 wrote to memory of 4024 4552 cmd.exe 116 PID 4684 wrote to memory of 3552 4684 cmd.exe 117 PID 4684 wrote to memory of 3552 4684 cmd.exe 117 PID 4684 wrote to memory of 3552 4684 cmd.exe 117 PID 3552 wrote to memory of 3404 3552 hzhgrkdplyrlkraqa.exe 266 PID 3552 wrote to memory of 3404 3552 hzhgrkdplyrlkraqa.exe 266 PID 3552 wrote to memory of 3404 3552 hzhgrkdplyrlkraqa.exe 266 PID 5884 wrote to memory of 1504 5884 rfyzcmqobpi.exe 121 PID 5884 wrote to memory of 1504 5884 rfyzcmqobpi.exe 121 PID 5884 wrote to memory of 1504 5884 rfyzcmqobpi.exe 121 PID 5884 wrote to memory of 6012 5884 rfyzcmqobpi.exe 122 PID 5884 wrote to memory of 6012 5884 rfyzcmqobpi.exe 122 PID 5884 wrote to memory of 6012 5884 rfyzcmqobpi.exe 122 PID 1136 wrote to memory of 4632 1136 cmd.exe 129 PID 1136 wrote to memory of 4632 1136 cmd.exe 129 PID 1136 wrote to memory of 4632 1136 cmd.exe 129 PID 2112 wrote to memory of 2484 2112 cmd.exe 267 PID 2112 wrote to memory of 2484 2112 cmd.exe 267 PID 2112 wrote to memory of 2484 2112 cmd.exe 267 PID 2504 wrote to memory of 3408 2504 cmd.exe 135 PID 2504 wrote to memory of 3408 2504 cmd.exe 135 PID 2504 wrote to memory of 3408 2504 cmd.exe 135 PID 4016 wrote to memory of 3136 4016 cmd.exe 138 PID 4016 wrote to memory of 3136 4016 cmd.exe 138 PID 4016 wrote to memory of 3136 4016 cmd.exe 138 PID 3408 wrote to memory of 4496 3408 hzhgrkdplyrlkraqa.exe 142 PID 3408 wrote to memory of 4496 3408 hzhgrkdplyrlkraqa.exe 142 PID 3408 wrote to memory of 4496 3408 hzhgrkdplyrlkraqa.exe 142 PID 1076 wrote to memory of 4428 1076 cmd.exe 204 PID 1076 wrote to memory of 4428 1076 cmd.exe 204 PID 1076 wrote to memory of 4428 1076 cmd.exe 204 PID 6020 wrote to memory of 4668 6020 cmd.exe 333 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhwxgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bjhwxgp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd201e3179f1bea3176625e53ae74a0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_acd201e3179f1bea3176625e53ae74a0.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\bjhwxgp.exe"C:\Users\Admin\AppData\Local\Temp\bjhwxgp.exe" "-C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\bjhwxgp.exe"C:\Users\Admin\AppData\Local\Temp\bjhwxgp.exe" "-C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- System policy modification
PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵
- Executes dropped EXE
PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵
- Executes dropped EXE
PID:848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Executes dropped EXE
PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵
- Executes dropped EXE
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Executes dropped EXE
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵
- Executes dropped EXE
PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6020 -
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵
- Executes dropped EXE
PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:2576
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Executes dropped EXE
PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:4380
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Executes dropped EXE
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵
- Executes dropped EXE
PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Executes dropped EXE
PID:1008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵
- Executes dropped EXE
PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵
- Executes dropped EXE
PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Executes dropped EXE
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Executes dropped EXE
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:4528
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:1092
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Executes dropped EXE
PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:1152
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵
- Executes dropped EXE
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:2736
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵
- Executes dropped EXE
PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵
- Executes dropped EXE
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵
- Executes dropped EXE
PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:3616
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵
- Executes dropped EXE
PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3676
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:6120
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵
- Executes dropped EXE
PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:4984
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵
- Executes dropped EXE
PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:3664
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵
- Executes dropped EXE
PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4516
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵
- Executes dropped EXE
PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:5728
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:5760
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- Executes dropped EXE
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3856
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:5212
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:1396
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:6004
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3404
-
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:5508
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:5140
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
PID:5920 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:4392
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:5892
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:4212
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2232
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:4668
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:784
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:5220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:5944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4988
-
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:3872
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:1512
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2672
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:1500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:4716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:3560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:4892
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:208
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:2912
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:5468
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:5052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3484
-
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:3616
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:1472
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:4800
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:6132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:3920
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5920
-
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:2624
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:4788
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4876
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:3312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:3568
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2504
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:3640
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:4500
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:1684
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:2168
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:4016
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:5980
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3844
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:4904
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:2332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:696
-
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:3412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:4044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:5908
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:4972
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:2408
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:2600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:1548
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:820 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:1492
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:1040
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:1132
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:3436
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:5004
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:1008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4556
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:5000
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:4820
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:4616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:4032
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:1832
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:5324
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:736
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
PID:5228 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:3764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:5464
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:5676
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:3160
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:4784
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:2104
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:2112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:4724
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:6116
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:1408
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:3260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4224
-
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:3036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3288
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4360
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4604
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:5008
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:3004
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2612
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:5276 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:1228
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:3152
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4792
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:3332
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3508
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:3180
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵
- Checks computer location settings
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:4812
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:4480
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:2772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3872
-
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:3160
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4116
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- Checks computer location settings
PID:5140 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵
- Checks computer location settings
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:5752
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:3228
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:4428
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:4376
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:4836
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:1056
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:6016
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:1008
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:920
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4460
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4448
-
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:2596
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:1016
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:4148
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:4360
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:3036
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:1968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:2700
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3908
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:2888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3552
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:1352
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:2628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:4428
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:5192
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:4272
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:5024
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:2680
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:4004
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:3184
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:840
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:3244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:4416
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:4680
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3860
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4480
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:5016
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:3508
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:5100
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:2168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4604
-
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:5708
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:3104
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:3320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:4704
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:2600
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:2504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:5952
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:5600
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:4064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3616
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4272
-
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:3508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:4524
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:5920
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:3160
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:1864
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:1708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:3772
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:3412
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:3640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:2112
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:5416
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:1536
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:3620
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:2928
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2020
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:4980
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:3220
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:2208
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:5752
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:3288
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe1⤵PID:1640
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:1220
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:2884
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:3792
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe .1⤵PID:2944
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe .2⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:3560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:3260
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:4416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:4928
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:4124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:3280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:5640
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:1864
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:4932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2540
-
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:864
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:5908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:4156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe1⤵PID:5004
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:2600
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:4908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1500
-
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe .1⤵PID:4500
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe .2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\arywgyqbwiatrxfu.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:4964
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:1952
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:2800
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:5800
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe2⤵PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:5092
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:2344
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe1⤵PID:3696
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe2⤵PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:1972
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:4644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exeC:\Users\Admin\AppData\Local\Temp\bvfgtojxvkfbclwoagf.exe .2⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bvfgtojxvkfbclwoagf.exe*."3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:1408
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hzhgrkdplyrlkraqa.exe .1⤵PID:1548
-
C:\Windows\hzhgrkdplyrlkraqa.exehzhgrkdplyrlkraqa.exe .2⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hzhgrkdplyrlkraqa.exe*."3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dzlodaxnnebzcnauiqrnz.exe1⤵PID:4560
-
C:\Windows\dzlodaxnnebzcnauiqrnz.exedzlodaxnnebzcnauiqrnz.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe .1⤵PID:6104
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe .2⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bvfgtojxvkfbclwoagf.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .1⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exeC:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe .2⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\dzlodaxnnebzcnauiqrnz.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe2⤵PID:4140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exeC:\Users\Admin\AppData\Local\Temp\ojuwkgcrqgczblxqdkkf.exe .2⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ojuwkgcrqgczblxqdkkf.exe*."3⤵PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:2408
-
C:\Windows\bvfgtojxvkfbclwoagf.exebvfgtojxvkfbclwoagf.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arywgyqbwiatrxfu.exe .1⤵PID:1148
-
C:\Windows\arywgyqbwiatrxfu.exearywgyqbwiatrxfu.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\arywgyqbwiatrxfu.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:4312
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:4912
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\qjsseysfcqkffnxoze.exe*."3⤵PID:4600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\qjsseysfcqkffnxoze.exe .2⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\qjsseysfcqkffnxoze.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exeC:\Users\Admin\AppData\Local\Temp\arywgyqbwiatrxfu.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:4344
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\hzhgrkdplyrlkraqa.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hzhgrkdplyrlkraqa.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojuwkgcrqgczblxqdkkf.exe1⤵PID:5396
-
C:\Windows\ojuwkgcrqgczblxqdkkf.exeojuwkgcrqgczblxqdkkf.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:1008
-
C:\Windows\qjsseysfcqkffnxoze.exeqjsseysfcqkffnxoze.exe .2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:5264
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:5068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:2052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bvfgtojxvkfbclwoagf.exe1⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dzlodaxnnebzcnauiqrnz.exe1⤵PID:864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qjsseysfcqkffnxoze.exe .1⤵PID:376
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c88808064936dd151e1dc68adaec0488
SHA10251b61e7c3b288c1e0594133c267faf81055d3b
SHA25649a6ed9dd1a006750a233c6dfb12ba79b5a5a2e01d0b384a3aa1ad421c553b34
SHA51263171625260280b69901b4271aadba06b17cf2b1a80b1d9e393f29650d67f7fbff5056acaef268e2429267bad51ced09a70a8a68910817cb8a5f36a8f79fc546
-
Filesize
280B
MD52b8fdfe67ecf81a33fbb42fa69d577f0
SHA131bfd4d319a66164a262468f808585ac48184e22
SHA256bde5786285c432433ba48002065f627e9e0ced5bf27d06015b4273bccf488ee6
SHA512bbba30af5a5650985ef681857c026b2d952f40065e787a5ee75bd5ed3036784079988a231478c5def757b2256bfb2e1d5b3f6bedec30dd99d322f46506f29c1b
-
Filesize
280B
MD5f2bd9632bd7bcccde06981a4114a5557
SHA1e7529f100314472ea316d5746a93ee834db75511
SHA256842acade11a87fda9f4b9a7032e37e576f388e14e5de34b1514e0793c47ef16f
SHA512ad8a66dc24467217ecbd5adde336b126ca10179f81202369002a57c61999ffc5aedd1eb93aabba5b764eadcc98421d8f6deaf690d97e3598868cb29de542fb82
-
Filesize
280B
MD5cdce2f72bd9ff228e9ca8da43388d572
SHA108555ec04ac4487a3846eb1c8bb514c65c4da00e
SHA2565af5af26fa195819faf9f1b8fe3117d5cd13dc43a5c60db7e7a2d2f0ff25aee7
SHA512922493b5840d444cc4462ff7bf6da840e9d547af99f9d884cd93e69f0fc56fc2e811c448444097f8cfc35738d04d9f1937f24500956a57dba154a7d94fe1d21e
-
Filesize
280B
MD58e90c44a1183fa880d92b7e874f2e5e9
SHA1b3cf94c0f96d1ccacceb2a081136574b81a14925
SHA2566648ee5740ddc8cb0556c596779787737e58eb4b80c3af4d579c54f3e4c8b12c
SHA512bfbbd2e0f14ebed4337b489a0f8e2886200aa24100bfb3bfafbcfddfa6a108f8d746def5b259e9e1789da7a47fd85de81d1f9fea9a5d3591b59f1e7a14c4fc01
-
Filesize
280B
MD538a62d0d7f4ecaeac040370b5210bec3
SHA1e0ecbc012bda023ac08abb2d644719ef1f7d9a95
SHA2560f84b092fda821df5e9af6de46dc32b5c1c9ccb9fef4d79e187ff80524b690b2
SHA512565fe627808c25bcf3ef241553065cdddfdb94196c8f79141a6a47c37ab26ba02e17c8d62ef65976eec0a1cebe71fed6748e3fd4834ef1ba6301387874cefbcd
-
Filesize
700KB
MD50e965ec7a83e481bceea838a53d825f3
SHA1703329695d2c58ce2d747ded25b8eb8398b2824b
SHA25602b27aeef5325b4015716cb52a5d12bbefa4015a93d3524c7e3b351d2a3036cb
SHA51209ffc454937adbbf26281c2bce6cb8220760e96ff331aec6c685ed429b86c3f32c996a352a557d4bfa0ed44f863a0d76eb15e9cb914aca3ae52fe04f9cfefda7
-
Filesize
320KB
MD570971f6c6d5e508ea1bfaec67bf739a3
SHA1a43de5a8722562f3fbd1245f15ecc0cd87c5f088
SHA256b25a92c91198e03bd144cefd593301f4b3837b3880740a63d9526b032d150954
SHA512d92b578685c8bf1e459e323f99275c8eaaec0a0a7767f3b87c9ff95351292b0ed5cc4c272eec699f0a105cb5bb4390ce0a8b35342d9defe099c71828a62e96a0
-
Filesize
280B
MD57dd1f062c8738eacc5d872bb35f9effe
SHA1dd85c101744bbdb65434274924ac2805c3e73b35
SHA25630c0e5bf9df19bfac87929afe151c73d2c68b6201bcbb0fa91eb890f668a14cd
SHA512104f3489083ae28d34258ac61f7e7c8ca4b73649398fac114161cfd870ea75c2b7aa010c8df667bf26c30f89d157b2ade45c3d5ce523e96dde77d4df4be93eea
-
Filesize
4KB
MD5c3b337c188a7491d148b299a2af5b1d6
SHA1b9d71f8912e54258a00afcd1bad4c19b15644b05
SHA256b22b8b0311d73f83c5299354af2bc2f7ee856c7cf023347fb5cf6f6bbfbf744a
SHA512b1f357df6dcc242e5027c7e2221675a12df7024b3fb2de718efbf7afda75d7ea9ac397390fec907a5c2423131ce76c9aa07b8885e23ff9b58dc714eaf0b11316
-
Filesize
1016KB
MD5acd201e3179f1bea3176625e53ae74a0
SHA116aba416493d24d4fcc7f94133da3a3bc328016c
SHA2565362c09319c951bf520453f62ce8e2b521322aaed60b929fe2cb4f11085d0250
SHA512f3234c90de201c62cb1ec4f101cc017289960916a98452a65500cadc3ec181a01a200381660e5789b99673d6db827fa6cfa96fe812e7540c88b01e59662a99ba