Analysis
-
max time kernel
44s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe
-
Size
524KB
-
MD5
b1a720ff3f312809e834babbc8238648
-
SHA1
9143508ce53230b2437aaa3992f4c41586b3100d
-
SHA256
f71aac19d5e1e24a5b983a37d068604ef8d1ece82b27eefccd52c8dfd3ce5426
-
SHA512
a4f0ca15311c954fa431b413997816eae984387175b853f8f6ec8ee9c20c51960cdeaa87f6a9ebb93f6f2acc639ba0b5863067079724b0d1ca903e0c8f8037aa
-
SSDEEP
6144:/j6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion9iYm:76onxOp8FySpE5zvIdtU+Ymef
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe -
Pykspa family
-
UAC bypass 3 TTPs 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ousymr.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000500000002336d-4.dat family_pykspa behavioral1/files/0x000900000001e6c4-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiuoqjzqrgbdiyidunke.exe" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "aqyombnaxizxykqh.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "oiuoqjzqrgbdiyidunke.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "hyhyxnaomyqpreldr.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sgmawjtezixtsc = "oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgjunxemekw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dylgjdumoeadjalhztrmz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dylgjdumoeadjalhztrmz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dylgjdumoeadjalhztrmz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dylgjdumoeadjalhztrmz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dylgjdumoeadjalhztrmz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation hyhyxnaomyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bufyzrgwwkefjyhbrjf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qiskkbpedqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation aqyombnaxizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oiuoqjzqrgbdiyidunke.exe -
Executes dropped EXE 64 IoCs
pid Process 4764 qjfmnzhratp.exe 4996 qiskkbpedqjjmaibqh.exe 4988 qiskkbpedqjjmaibqh.exe 3328 qjfmnzhratp.exe 6024 oiuoqjzqrgbdiyidunke.exe 4120 qiskkbpedqjjmaibqh.exe 1632 dylgjdumoeadjalhztrmz.exe 5848 qjfmnzhratp.exe 1164 hyhyxnaomyqpreldr.exe 5292 qjfmnzhratp.exe 5948 qiskkbpedqjjmaibqh.exe 3220 bufyzrgwwkefjyhbrjf.exe 2364 qjfmnzhratp.exe 1888 ousymr.exe 5488 ousymr.exe 384 qiskkbpedqjjmaibqh.exe 816 bufyzrgwwkefjyhbrjf.exe 5368 oiuoqjzqrgbdiyidunke.exe 1300 aqyombnaxizxykqh.exe 868 qjfmnzhratp.exe 2920 qiskkbpedqjjmaibqh.exe 1716 qjfmnzhratp.exe 3772 bufyzrgwwkefjyhbrjf.exe 5492 bufyzrgwwkefjyhbrjf.exe 5820 hyhyxnaomyqpreldr.exe 5324 dylgjdumoeadjalhztrmz.exe 4808 aqyombnaxizxykqh.exe 4904 qiskkbpedqjjmaibqh.exe 5580 bufyzrgwwkefjyhbrjf.exe 4972 bufyzrgwwkefjyhbrjf.exe 3860 dylgjdumoeadjalhztrmz.exe 1460 hyhyxnaomyqpreldr.exe 5400 qjfmnzhratp.exe 2260 qjfmnzhratp.exe 5404 qjfmnzhratp.exe 748 qjfmnzhratp.exe 3236 qjfmnzhratp.exe 5592 hyhyxnaomyqpreldr.exe 5736 dylgjdumoeadjalhztrmz.exe 2656 qiskkbpedqjjmaibqh.exe 1676 aqyombnaxizxykqh.exe 3696 qiskkbpedqjjmaibqh.exe 4508 qjfmnzhratp.exe 4648 qjfmnzhratp.exe 5196 dylgjdumoeadjalhztrmz.exe 2988 qjfmnzhratp.exe 1876 bufyzrgwwkefjyhbrjf.exe 3192 qjfmnzhratp.exe 3200 dylgjdumoeadjalhztrmz.exe 4560 dylgjdumoeadjalhztrmz.exe 5456 qjfmnzhratp.exe 3496 aqyombnaxizxykqh.exe 4144 hyhyxnaomyqpreldr.exe 5284 qjfmnzhratp.exe 5732 qiskkbpedqjjmaibqh.exe 3456 hyhyxnaomyqpreldr.exe 1580 bufyzrgwwkefjyhbrjf.exe 2792 qiskkbpedqjjmaibqh.exe 4564 qiskkbpedqjjmaibqh.exe 5308 qjfmnzhratp.exe 4728 dylgjdumoeadjalhztrmz.exe 4868 dylgjdumoeadjalhztrmz.exe 1856 oiuoqjzqrgbdiyidunke.exe 1868 bufyzrgwwkefjyhbrjf.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ousymr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ousymr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ousymr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ousymr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ousymr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ousymr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe ." ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "oiuoqjzqrgbdiyidunke.exe ." ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "aqyombnaxizxykqh.exe ." ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "oiuoqjzqrgbdiyidunke.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe ." ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "oiuoqjzqrgbdiyidunke.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "aqyombnaxizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiuoqjzqrgbdiyidunke.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "aqyombnaxizxykqh.exe ." ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqyombnaxizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "hyhyxnaomyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "aqyombnaxizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "bufyzrgwwkefjyhbrjf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "oiuoqjzqrgbdiyidunke.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qiskkbpedqjjmaibqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe" ousymr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiuoqjzqrgbdiyidunke.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qiskkbpedqjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "dylgjdumoeadjalhztrmz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "qiskkbpedqjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rejwrdmwqymhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkrgdrcokukhhsx = "oiuoqjzqrgbdiyidunke.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dylgjdumoeadjalhztrmz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hyhyxnaomyqpreldr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hyhyxnaomyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seiuozhqjqdx = "oiuoqjzqrgbdiyidunke.exe" ousymr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aqyombnaxizxykqh = "bufyzrgwwkefjyhbrjf.exe ." qjfmnzhratp.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ousymr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ousymr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ousymr.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 www.whatismyip.ca 23 www.showmyipaddress.com 32 whatismyip.everdot.org 33 www.whatismyip.ca 36 whatismyip.everdot.org 15 whatismyipaddress.com 19 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oiuoqjzqrgbdiyidunke.exe ousymr.exe File created C:\Windows\SysWOW64\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe ousymr.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe ousymr.exe File opened for modification C:\Windows\SysWOW64\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oiuoqjzqrgbdiyidunke.exe ousymr.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe ousymr.exe File opened for modification C:\Windows\SysWOW64\akmwoxdkbgrjekkvclyikumvbizephci.taj ousymr.exe File opened for modification C:\Windows\SysWOW64\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\aqyombnaxizxykqh.exe ousymr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File created C:\Program Files (x86)\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File opened for modification C:\Program Files (x86)\akmwoxdkbgrjekkvclyikumvbizephci.taj ousymr.exe File created C:\Program Files (x86)\akmwoxdkbgrjekkvclyikumvbizephci.taj ousymr.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe ousymr.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe ousymr.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe ousymr.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\qiskkbpedqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe ousymr.exe File opened for modification C:\Windows\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File opened for modification C:\Windows\oiuoqjzqrgbdiyidunke.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\aqyombnaxizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\bufyzrgwwkefjyhbrjf.exe qjfmnzhratp.exe File created C:\Windows\fevubzuqwqqxhcrrnlnmd.jhc ousymr.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\dylgjdumoeadjalhztrmz.exe qjfmnzhratp.exe File opened for modification C:\Windows\uqeaezrknebfmeqngbawkg.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\hyhyxnaomyqpreldr.exe qjfmnzhratp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dylgjdumoeadjalhztrmz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oiuoqjzqrgbdiyidunke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiskkbpedqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bufyzrgwwkefjyhbrjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aqyombnaxizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hyhyxnaomyqpreldr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 1888 ousymr.exe 1888 ousymr.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 1888 ousymr.exe 1888 ousymr.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1888 ousymr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5428 wrote to memory of 4764 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 88 PID 5428 wrote to memory of 4764 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 88 PID 5428 wrote to memory of 4764 5428 JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe 88 PID 3084 wrote to memory of 4996 3084 cmd.exe 91 PID 3084 wrote to memory of 4996 3084 cmd.exe 91 PID 3084 wrote to memory of 4996 3084 cmd.exe 91 PID 4908 wrote to memory of 4988 4908 cmd.exe 94 PID 4908 wrote to memory of 4988 4908 cmd.exe 94 PID 4908 wrote to memory of 4988 4908 cmd.exe 94 PID 4988 wrote to memory of 3328 4988 qiskkbpedqjjmaibqh.exe 97 PID 4988 wrote to memory of 3328 4988 qiskkbpedqjjmaibqh.exe 97 PID 4988 wrote to memory of 3328 4988 qiskkbpedqjjmaibqh.exe 97 PID 2260 wrote to memory of 6024 2260 cmd.exe 100 PID 2260 wrote to memory of 6024 2260 cmd.exe 100 PID 2260 wrote to memory of 6024 2260 cmd.exe 100 PID 5208 wrote to memory of 4120 5208 cmd.exe 103 PID 5208 wrote to memory of 4120 5208 cmd.exe 103 PID 5208 wrote to memory of 4120 5208 cmd.exe 103 PID 4028 wrote to memory of 1632 4028 cmd.exe 106 PID 4028 wrote to memory of 1632 4028 cmd.exe 106 PID 4028 wrote to memory of 1632 4028 cmd.exe 106 PID 4120 wrote to memory of 5848 4120 qiskkbpedqjjmaibqh.exe 107 PID 4120 wrote to memory of 5848 4120 qiskkbpedqjjmaibqh.exe 107 PID 4120 wrote to memory of 5848 4120 qiskkbpedqjjmaibqh.exe 107 PID 1312 wrote to memory of 1164 1312 cmd.exe 108 PID 1312 wrote to memory of 1164 1312 cmd.exe 108 PID 1312 wrote to memory of 1164 1312 cmd.exe 108 PID 1164 wrote to memory of 5292 1164 hyhyxnaomyqpreldr.exe 109 PID 1164 wrote to memory of 5292 1164 hyhyxnaomyqpreldr.exe 109 PID 1164 wrote to memory of 5292 1164 hyhyxnaomyqpreldr.exe 109 PID 5204 wrote to memory of 5948 5204 cmd.exe 112 PID 5204 wrote to memory of 5948 5204 cmd.exe 112 PID 5204 wrote to memory of 5948 5204 cmd.exe 112 PID 4556 wrote to memory of 3220 4556 cmd.exe 115 PID 4556 wrote to memory of 3220 4556 cmd.exe 115 PID 4556 wrote to memory of 3220 4556 cmd.exe 115 PID 3220 wrote to memory of 2364 3220 bufyzrgwwkefjyhbrjf.exe 116 PID 3220 wrote to memory of 2364 3220 bufyzrgwwkefjyhbrjf.exe 116 PID 3220 wrote to memory of 2364 3220 bufyzrgwwkefjyhbrjf.exe 116 PID 4764 wrote to memory of 1888 4764 qjfmnzhratp.exe 118 PID 4764 wrote to memory of 1888 4764 qjfmnzhratp.exe 118 PID 4764 wrote to memory of 1888 4764 qjfmnzhratp.exe 118 PID 4764 wrote to memory of 5488 4764 qjfmnzhratp.exe 119 PID 4764 wrote to memory of 5488 4764 qjfmnzhratp.exe 119 PID 4764 wrote to memory of 5488 4764 qjfmnzhratp.exe 119 PID 3972 wrote to memory of 384 3972 cmd.exe 124 PID 3972 wrote to memory of 384 3972 cmd.exe 124 PID 3972 wrote to memory of 384 3972 cmd.exe 124 PID 5620 wrote to memory of 816 5620 cmd.exe 127 PID 5620 wrote to memory of 816 5620 cmd.exe 127 PID 5620 wrote to memory of 816 5620 cmd.exe 127 PID 5844 wrote to memory of 5368 5844 cmd.exe 130 PID 5844 wrote to memory of 5368 5844 cmd.exe 130 PID 5844 wrote to memory of 5368 5844 cmd.exe 130 PID 2752 wrote to memory of 1300 2752 cmd.exe 133 PID 2752 wrote to memory of 1300 2752 cmd.exe 133 PID 2752 wrote to memory of 1300 2752 cmd.exe 133 PID 5368 wrote to memory of 868 5368 oiuoqjzqrgbdiyidunke.exe 134 PID 5368 wrote to memory of 868 5368 oiuoqjzqrgbdiyidunke.exe 134 PID 5368 wrote to memory of 868 5368 oiuoqjzqrgbdiyidunke.exe 134 PID 2444 wrote to memory of 2920 2444 cmd.exe 143 PID 2444 wrote to memory of 2920 2444 cmd.exe 143 PID 2444 wrote to memory of 2920 2444 cmd.exe 143 PID 1300 wrote to memory of 1716 1300 aqyombnaxizxykqh.exe 148 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ousymr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ousymr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ousymr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b1a720ff3f312809e834babbc8238648.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b1a720ff3f312809e834babbc8238648.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\ousymr.exe"C:\Users\Admin\AppData\Local\Temp\ousymr.exe" "-C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\ousymr.exe"C:\Users\Admin\AppData\Local\Temp\ousymr.exe" "-C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5208 -
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5204 -
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Executes dropped EXE
PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5620 -
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5844 -
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵
- Executes dropped EXE
PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:6128
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:4384
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵
- Executes dropped EXE
PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:1488
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5820 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Executes dropped EXE
PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:1512
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:2572
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:4056
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2896
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Executes dropped EXE
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Executes dropped EXE
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵
- Executes dropped EXE
PID:3200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:4108
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵
- Executes dropped EXE
PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:3708
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:3540
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:5756
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:2344
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:228
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- Executes dropped EXE
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:1900
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:1744
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:4204
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵
- Executes dropped EXE
PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:3232
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:1788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:3872
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:1500
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:4976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5400
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5404 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:1632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:4308
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:4676
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3224
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5836
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:2172
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5572
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:2424
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:3428
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:5060
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:3788
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:4952
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:5920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5404
-
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:5132
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:5932
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:1176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:5564
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5208
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:1516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:1180
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5552
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:2752
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5308
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:740
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:2720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4104
-
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:576
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:3596
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:4048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3464
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:5688
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:6024
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:644
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:1740
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:1188
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:1028
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
PID:6056 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:4532
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:388
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5148
-
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:812
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:5516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:5992
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:1088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:5012
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5172
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:1212
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:2068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:1428
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:5404
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:2656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:2320
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3840
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:6028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:1652
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:4024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5568
-
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:4760
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:3152
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:3548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5500
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:2304
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:760
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:1380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5272
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:1488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:1676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:5404
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:1056
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:872 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:4056
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4400
-
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- Checks computer location settings
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- Checks computer location settings
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:4828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:5836
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5288
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵
- Checks computer location settings
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:3968
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:4140
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:1828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:2572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3260
-
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:3056
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:1160
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:4872
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:4768
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:2560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1856
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:4048
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:6044
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:4480
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3600
-
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5296
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:5688
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵
- Checks computer location settings
PID:688 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵
- Checks computer location settings
PID:5648 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:5276
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:4140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6068
-
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:4784
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:5780
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵
- Checks computer location settings
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:1308
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:3772
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:5592
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:5760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:4752
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:2872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5600
-
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:2228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1176
-
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:5944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:4528
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3272
-
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:2908
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:1396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:2240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:5084
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:556
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:1520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2316
-
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:4140
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:2212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:1664
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:4764
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:5364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3872
-
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2380
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:5620
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5400
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:2292
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:3224
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:5844
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:5648
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:2032
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2456
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:3732
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:3684
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4948
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:2608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4576
-
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:5032
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:5404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:5780
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1448
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:372
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:5324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:1776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:3220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3088
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2624
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:3044
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:2248
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:2448
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:2076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:2456
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3408
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:548
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:4756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:3164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:1528
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:2320
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:4716
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:2892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:1768
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:1980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:5776
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:1772
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:1460
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:5576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:844
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .1⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe .2⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\qiskkbpedqjjmaibqh.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:1500
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5736
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:5792
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5144
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:2492
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:5316
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:3952
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5588
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:1236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:1308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1872
-
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:5748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:4856
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:4924
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:5636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2020
-
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:5436
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:2196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4940
-
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:4388
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:5148
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:768
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:3948
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3452
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4976
-
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:576
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exeC:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe .2⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:1800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:3328
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:4716
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:3540
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:2560
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\hyhyxnaomyqpreldr.exe*."3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe2⤵PID:5484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:4920
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:2108
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe1⤵PID:6044
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:3968
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5756
-
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe1⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:3536
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:4508
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\qiskkbpedqjjmaibqh.exe*."3⤵PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:1616
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:1788
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .1⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe .2⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\aqyombnaxizxykqh.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe1⤵PID:4340
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe .1⤵PID:5608
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\hyhyxnaomyqpreldr.exe*."3⤵PID:5400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:3788
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:4712
-
C:\Windows\dylgjdumoeadjalhztrmz.exedylgjdumoeadjalhztrmz.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exeC:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:3872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:4116
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:216
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:5296
-
C:\Windows\hyhyxnaomyqpreldr.exehyhyxnaomyqpreldr.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:2104
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe1⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe2⤵PID:5016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dylgjdumoeadjalhztrmz.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exeC:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .2⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:6068
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:224
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe1⤵PID:5388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5228
-
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bufyzrgwwkefjyhbrjf.exe .1⤵PID:5696
-
C:\Windows\bufyzrgwwkefjyhbrjf.exebufyzrgwwkefjyhbrjf.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bufyzrgwwkefjyhbrjf.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:4684
-
C:\Windows\aqyombnaxizxykqh.exeaqyombnaxizxykqh.exe .2⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\aqyombnaxizxykqh.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe .1⤵PID:6132
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe .2⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oiuoqjzqrgbdiyidunke.exe*."3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oiuoqjzqrgbdiyidunke.exe1⤵PID:2456
-
C:\Windows\oiuoqjzqrgbdiyidunke.exeoiuoqjzqrgbdiyidunke.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c qiskkbpedqjjmaibqh.exe .1⤵PID:3504
-
C:\Windows\qiskkbpedqjjmaibqh.exeqiskkbpedqjjmaibqh.exe .2⤵PID:3304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe1⤵PID:6104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hyhyxnaomyqpreldr.exe1⤵PID:756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dylgjdumoeadjalhztrmz.exe .1⤵PID:872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:2424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c aqyombnaxizxykqh.exe .1⤵PID:3612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exeC:\Users\Admin\AppData\Local\Temp\dylgjdumoeadjalhztrmz.exe .2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe1⤵PID:4836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hyhyxnaomyqpreldr.exe .1⤵PID:704
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qiskkbpedqjjmaibqh.exe1⤵PID:1776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqyombnaxizxykqh.exe1⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bufyzrgwwkefjyhbrjf.exe .1⤵PID:1208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oiuoqjzqrgbdiyidunke.exe1⤵PID:760
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD511e8eb39e77b0079bdceccb7a1407ca3
SHA1a7da3cb154c7ec8088a384fdcb9aa2ea2420b4a6
SHA2565c6b2489d2f2b4538f996e6962a81931518954a1cae5388e60cf518dbb7f8b05
SHA5121e3271a17471fd21cf83098a642d2c760068fc478dc381ceb44aa890ea34c7b747fb7f356c063ca3fb77f9c2a9a8db6090ee6e99bfb86d609b3ba507875cb59e
-
Filesize
272B
MD539bced1aee8d8978520227ff1ee2d740
SHA16b1cfc6229553e8c3ea6747b2825f9be9e6162fe
SHA256dbaea50fa28b70b12c4fdc99d2921bb0a5347923b9a9c0d35d0540b7c7f26aae
SHA51275a84e4538243c8408ca29413e431ec31673dea06adf7a85b3b83ccbde3840d9c42c0c31754bb546fc57ffd4c66ddf125a6033c97a86def9527cc8b3450a040a
-
Filesize
272B
MD5f2b65b4eee8a581818eda2a3849f01be
SHA1d0a2f1423bf25399a043b7d7b5cb5467c2403362
SHA2566a6de083fddd2d91fb075a8c2947e7236a8a2557328e192ba4cdb6bfde2a5b41
SHA5121057c152bb4980839d9e046799bea68b5960abc530014e8641352875c4d39896c72a19d34c5bd875f16494d1869369180c8732f75b59e1694fb41f52263c74bd
-
Filesize
272B
MD517c7b81c7ba29a1f93fca034922ed9b8
SHA1409dd21a6e2334f80fe6bc83a47e85a037b12cdf
SHA25600d3cd78d564915803be29c3e08e586a335cfc2c8ae3cc2dd629f472630d8e4f
SHA5123a78e634932f5eac062761be38c2fa06a370c5345ca9f16c109736c6414e9cc69aed6a05ff003f52e385a8b02b72f92665b5cf4efca85a2bf0c9b4cca3231fb6
-
Filesize
272B
MD5df49f1da2bada328146f9225dab82074
SHA193df410db19ab18a691314c4aab95d70e6623916
SHA256f99aa2e8365f9dc46f002ce1ceba69d057b1ec6ef9209600cc5d00da62e45520
SHA512f74a63ab5a440f75e1906d85f050a781261b0afa012d34cf58a980fc95f6b3464dbde799f1cb257264a93dc9bf2fb261a8491c4aa396b53441f93ee9d38bb2cb
-
Filesize
272B
MD57d5d2021fff9cf353badb349d7f8e502
SHA1c3609a9394739280f54991ae2900c8361b9e478b
SHA256f7e62a097168f08bd51c973fce3bc5c66402f6ebd3f86bfd99f99fd9b6a45239
SHA5124280b5046b72fa1f677009cd049987b659f3298c0765ee2035acd5ebd438ee905b78256e387d6256f375c9bfcf3d44b609aaf8322abc206bd12ee11367fa259b
-
Filesize
712KB
MD54a541889f331b2078eb03821990b1d38
SHA196588260838d753994104e6138670b6258b6405a
SHA25647e17328e55df1efb3c34f4df934d458a06362fc47041cbeecefda8f3e0c9090
SHA512fc29aeca11181ca2de2863a553cddd2c047f42fd3abbad9fa494abcc0760b39d4103b587570bd410127bdffb24dc65608fe17bdd2f9a007c090c840a96b67b7a
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
3KB
MD5e4fb9ff11c6400a5edfba514b2afebe4
SHA1a87e2c23b2bbd66a12cf28b3c9da6754d799d583
SHA256601f40a7b7f34ff48d0ee5cf7d31fc3d0effb7c6659add4ee38a431f6474a9a3
SHA512418fe80e9c2ca893486a73aa2d763b689f2eb8fc4a30ac50b8072eeb4f208db9f014738026624f06c138234b7c66c0981d57f2e585eebc5f6fd35efd7a448a8b
-
Filesize
272B
MD5744794f95d6feb65830579d217733318
SHA18fcac7ab6506e285a201d07cfe745833723252c4
SHA256f748f0cb19429492c32ae483e0cfb47ea19fb46a0c44aed0d70fd86407c9e928
SHA51273484322a3b8a915c6955645216b14b47bf6b4de38a1ca6cd8089a2b7816992fb309459f784c61c6ad060d8b408c1a17d0bb15f199ce8220c0b204dac5be7af9
-
Filesize
524KB
MD5b1a720ff3f312809e834babbc8238648
SHA19143508ce53230b2437aaa3992f4c41586b3100d
SHA256f71aac19d5e1e24a5b983a37d068604ef8d1ece82b27eefccd52c8dfd3ce5426
SHA512a4f0ca15311c954fa431b413997816eae984387175b853f8f6ec8ee9c20c51960cdeaa87f6a9ebb93f6f2acc639ba0b5863067079724b0d1ca903e0c8f8037aa