Analysis
-
max time kernel
29s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b19410583c5cac21e5066dee43513859.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b19410583c5cac21e5066dee43513859.exe
-
Size
500KB
-
MD5
b19410583c5cac21e5066dee43513859
-
SHA1
5a1f933d7ce3a7d5b2001051e4dad32ac0bfeb35
-
SHA256
226da79bd298b6c72453572e2f34a1b40e19db0c51e10197ac00daf0d499b770
-
SHA512
c98e8ebcdeeb687d95d20be83d4a7c344c900c6a56fc508d9f4f42789e8dcd35d2c2ea8a142bdfc9da07db382f069b2d41a2bbf6bcf0b7b9a1e24ee3c0bc814c
-
SSDEEP
6144:TA8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aUHP:HnRy+ZyYpaCDJFuPyAHcqrUHP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0011000000023120-4.dat family_pykspa behavioral1/files/0x0009000000022273-84.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 52 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "wpbofzqbrizxykqh.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "wpbofzqbrizxykqh.exe" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "dxkyqldpgyqpreldr.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgdvtlepjefjyhbrjz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "xtiyspjxqkefjyhbrjb.exe" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhvkdzsfxqjjmaibqh.exe" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\istdit = "xwmlffzuhdadjalhztlka.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwidtpfwfxqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "dxkyqldpgyqpreldr.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\istdit = "kgtpgdumwpjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dpuakxhlu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odluhxkrdqdx = "xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe -
Disables RegEdit via registry modification 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mhvkdzsfxqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mhvkdzsfxqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b19410583c5cac21e5066dee43513859.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mhvkdzsfxqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mhvkdzsfxqjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation dxkyqldpgyqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wpbofzqbrizxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation khxojhcrlgbdiyidungd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation xtiyspjxqkefjyhbrjb.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zxogcbxnieadjalhztnlc.exe -
Executes dropped EXE 64 IoCs
pid Process 4520 qjfmnzhratp.exe 220 xtiyspjxqkefjyhbrjb.exe 5476 xtiyspjxqkefjyhbrjb.exe 5392 qjfmnzhratp.exe 5852 dxkyqldpgyqpreldr.exe 2764 khxojhcrlgbdiyidungd.exe 5180 mhvkdzsfxqjjmaibqh.exe 3172 qjfmnzhratp.exe 1568 xtiyspjxqkefjyhbrjb.exe 1832 qjfmnzhratp.exe 4992 dxkyqldpgyqpreldr.exe 3712 khxojhcrlgbdiyidungd.exe 1204 qjfmnzhratp.exe 3704 xhkowhp.exe 5740 xhkowhp.exe 6072 wpbofzqbrizxykqh.exe 2780 xtiyspjxqkefjyhbrjb.exe 5728 wpbofzqbrizxykqh.exe 5680 zxogcbxnieadjalhztnlc.exe 1336 qjfmnzhratp.exe 184 zxogcbxnieadjalhztnlc.exe 3436 qjfmnzhratp.exe 3316 khxojhcrlgbdiyidungd.exe 4240 dxkyqldpgyqpreldr.exe 4976 xtiyspjxqkefjyhbrjb.exe 6000 qjfmnzhratp.exe 2088 mhvkdzsfxqjjmaibqh.exe 4148 qjfmnzhratp.exe 4644 wpbofzqbrizxykqh.exe 5080 khxojhcrlgbdiyidungd.exe 2608 zxogcbxnieadjalhztnlc.exe 5272 xtiyspjxqkefjyhbrjb.exe 6116 wpbofzqbrizxykqh.exe 4308 dxkyqldpgyqpreldr.exe 684 wpbofzqbrizxykqh.exe 5016 qjfmnzhratp.exe 5232 qjfmnzhratp.exe 2388 xtiyspjxqkefjyhbrjb.exe 1584 qjfmnzhratp.exe 1680 qjfmnzhratp.exe 4024 xtiyspjxqkefjyhbrjb.exe 4916 qjfmnzhratp.exe 4724 wpbofzqbrizxykqh.exe 4144 xtiyspjxqkefjyhbrjb.exe 324 zxogcbxnieadjalhztnlc.exe 4012 qjfmnzhratp.exe 4848 zxogcbxnieadjalhztnlc.exe 1484 qjfmnzhratp.exe 3624 wpbofzqbrizxykqh.exe 5860 mhvkdzsfxqjjmaibqh.exe 552 qjfmnzhratp.exe 5884 khxojhcrlgbdiyidungd.exe 976 zxogcbxnieadjalhztnlc.exe 756 qjfmnzhratp.exe 2472 zxogcbxnieadjalhztnlc.exe 1320 khxojhcrlgbdiyidungd.exe 1624 zxogcbxnieadjalhztnlc.exe 5636 wpbofzqbrizxykqh.exe 4664 zxogcbxnieadjalhztnlc.exe 5068 qjfmnzhratp.exe 2948 xtiyspjxqkefjyhbrjb.exe 4760 dxkyqldpgyqpreldr.exe 1148 zxogcbxnieadjalhztnlc.exe 4648 qjfmnzhratp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xhkowhp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xhkowhp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xhkowhp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xhkowhp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xhkowhp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xhkowhp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uinbkzisuf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uoztidsiqhzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe ." xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhvkdzsfxqjjmaibqh.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "khxojhcrlgbdiyidungd.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "wpbofzqbrizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "dxkyqldpgyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "zxogcbxnieadjalhztnlc.exe ." xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khxojhcrlgbdiyidungd.exe ." xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "khxojhcrlgbdiyidungd.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xggpt = "vsgdvtlepjefjyhbrjz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "zxogcbxnieadjalhztnlc.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxkyqldpgyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "xtiyspjxqkefjyhbrjb.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe ." xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "zxogcbxnieadjalhztnlc.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "wpbofzqbrizxykqh.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kwzlsfmu = "xwmlffzuhdadjalhztlka.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "zxogcbxnieadjalhztnlc.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxkyqldpgyqpreldr.exe ." xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bosfnbjst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvtmleykfbdiyidunec.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "wpbofzqbrizxykqh.exe ." xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ndmwkbpxkymhf = "dxkyqldpgyqpreldr.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "khxojhcrlgbdiyidungd.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "zxogcbxnieadjalhztnlc.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "dxkyqldpgyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxkyqldpgyqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khxojhcrlgbdiyidungd.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vgitzlr = "bwidtpfwfxqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xggpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uoztidsiqhzxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "xtiyspjxqkefjyhbrjb.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xtiyspjxqkefjyhbrjb.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xggpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgdvtlepjefjyhbrjz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "dxkyqldpgyqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxkyqldpgyqpreldr.exe" xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "xtiyspjxqkefjyhbrjb.exe ." xhkowhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\owvd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmlffzuhdadjalhztlka.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "xtiyspjxqkefjyhbrjb.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "zxogcbxnieadjalhztnlc.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rjugwpfpeukhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxogcbxnieadjalhztnlc.exe" xhkowhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ofpaphwftixtsc = "xtiyspjxqkefjyhbrjb.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhvkdzsfxqjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wjpwhvglvg = "khxojhcrlgbdiyidungd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfmugvhnykw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpbofzqbrizxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpbofzqbrizxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxkyqldpgyqpreldr.exe" xhkowhp.exe -
Checks whether UAC is enabled 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 whatismyip.everdot.org 33 whatismyipaddress.com 38 www.whatismyip.ca 44 www.whatismyip.ca 21 www.showmyipaddress.com 27 whatismyip.everdot.org 30 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\dxkyqldpgyqpreldr.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe xhkowhp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe xhkowhp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe xhkowhp.exe File opened for modification C:\Windows\SysWOW64\jpooszdbeimxlkdhhjlrqqubf.gko xhkowhp.exe File opened for modification C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\mhvkdzsfxqjjmaibqh.exe xhkowhp.exe File created C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\zxogcbxnieadjalhztnlc.exe xhkowhp.exe File created C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wpbofzqbrizxykqh.exe qjfmnzhratp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\jpooszdbeimxlkdhhjlrqqubf.gko xhkowhp.exe File created C:\Program Files (x86)\jpooszdbeimxlkdhhjlrqqubf.gko xhkowhp.exe File opened for modification C:\Program Files (x86)\ofpaphwftixtscgvgtgxhshzoxlaplkuynyl.pzk xhkowhp.exe File created C:\Program Files (x86)\ofpaphwftixtscgvgtgxhshzoxlaplkuynyl.pzk xhkowhp.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\jpooszdbeimxlkdhhjlrqqubf.gko xhkowhp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File created C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File created C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe xhkowhp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File created C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe xhkowhp.exe File opened for modification C:\Windows\ofpaphwftixtscgvgtgxhshzoxlaplkuynyl.pzk xhkowhp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe xhkowhp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe xhkowhp.exe File opened for modification C:\Windows\jpooszdbeimxlkdhhjlrqqubf.gko xhkowhp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File created C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\mhvkdzsfxqjjmaibqh.exe xhkowhp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\dxkyqldpgyqpreldr.exe qjfmnzhratp.exe File created C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe qjfmnzhratp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe qjfmnzhratp.exe File created C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe xhkowhp.exe File opened for modification C:\Windows\wpbofzqbrizxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe qjfmnzhratp.exe File opened for modification C:\Windows\qphaxxulhebfmeqngbwvng.exe qjfmnzhratp.exe File opened for modification C:\Windows\zxogcbxnieadjalhztnlc.exe xhkowhp.exe File opened for modification C:\Windows\xtiyspjxqkefjyhbrjb.exe xhkowhp.exe File opened for modification C:\Windows\khxojhcrlgbdiyidungd.exe xhkowhp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhkowhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhvkdzsfxqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsgdvtlepjefjyhbrjz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhvkdzsfxqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kgtpgdumwpjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xwmlffzuhdadjalhztlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpbofzqbrizxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xwmlffzuhdadjalhztlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igvtmleykfbdiyidunec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhkowhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhvkdzsfxqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b19410583c5cac21e5066dee43513859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhvkdzsfxqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igvtmleykfbdiyidunec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxkyqldpgyqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtiyspjxqkefjyhbrjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khxojhcrlgbdiyidungd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uoztidsiqhzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhvkdzsfxqjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxogcbxnieadjalhztnlc.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 5740 xhkowhp.exe 5740 xhkowhp.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 5740 xhkowhp.exe 5740 xhkowhp.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5740 xhkowhp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 4520 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 88 PID 4412 wrote to memory of 4520 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 88 PID 4412 wrote to memory of 4520 4412 JaffaCakes118_b19410583c5cac21e5066dee43513859.exe 88 PID 5236 wrote to memory of 220 5236 cmd.exe 91 PID 5236 wrote to memory of 220 5236 cmd.exe 91 PID 5236 wrote to memory of 220 5236 cmd.exe 91 PID 4792 wrote to memory of 5476 4792 cmd.exe 95 PID 4792 wrote to memory of 5476 4792 cmd.exe 95 PID 4792 wrote to memory of 5476 4792 cmd.exe 95 PID 5476 wrote to memory of 5392 5476 xtiyspjxqkefjyhbrjb.exe 96 PID 5476 wrote to memory of 5392 5476 xtiyspjxqkefjyhbrjb.exe 96 PID 5476 wrote to memory of 5392 5476 xtiyspjxqkefjyhbrjb.exe 96 PID 2428 wrote to memory of 5852 2428 cmd.exe 101 PID 2428 wrote to memory of 5852 2428 cmd.exe 101 PID 2428 wrote to memory of 5852 2428 cmd.exe 101 PID 5356 wrote to memory of 2764 5356 cmd.exe 104 PID 5356 wrote to memory of 2764 5356 cmd.exe 104 PID 5356 wrote to memory of 2764 5356 cmd.exe 104 PID 5284 wrote to memory of 5180 5284 cmd.exe 107 PID 5284 wrote to memory of 5180 5284 cmd.exe 107 PID 5284 wrote to memory of 5180 5284 cmd.exe 107 PID 2764 wrote to memory of 3172 2764 khxojhcrlgbdiyidungd.exe 108 PID 2764 wrote to memory of 3172 2764 khxojhcrlgbdiyidungd.exe 108 PID 2764 wrote to memory of 3172 2764 khxojhcrlgbdiyidungd.exe 108 PID 1692 wrote to memory of 1568 1692 cmd.exe 109 PID 1692 wrote to memory of 1568 1692 cmd.exe 109 PID 1692 wrote to memory of 1568 1692 cmd.exe 109 PID 1568 wrote to memory of 1832 1568 xtiyspjxqkefjyhbrjb.exe 112 PID 1568 wrote to memory of 1832 1568 xtiyspjxqkefjyhbrjb.exe 112 PID 1568 wrote to memory of 1832 1568 xtiyspjxqkefjyhbrjb.exe 112 PID 6024 wrote to memory of 4992 6024 cmd.exe 115 PID 6024 wrote to memory of 4992 6024 cmd.exe 115 PID 6024 wrote to memory of 4992 6024 cmd.exe 115 PID 1220 wrote to memory of 3712 1220 cmd.exe 116 PID 1220 wrote to memory of 3712 1220 cmd.exe 116 PID 1220 wrote to memory of 3712 1220 cmd.exe 116 PID 3712 wrote to memory of 1204 3712 khxojhcrlgbdiyidungd.exe 117 PID 3712 wrote to memory of 1204 3712 khxojhcrlgbdiyidungd.exe 117 PID 3712 wrote to memory of 1204 3712 khxojhcrlgbdiyidungd.exe 117 PID 4520 wrote to memory of 3704 4520 qjfmnzhratp.exe 118 PID 4520 wrote to memory of 3704 4520 qjfmnzhratp.exe 118 PID 4520 wrote to memory of 3704 4520 qjfmnzhratp.exe 118 PID 4520 wrote to memory of 5740 4520 qjfmnzhratp.exe 119 PID 4520 wrote to memory of 5740 4520 qjfmnzhratp.exe 119 PID 4520 wrote to memory of 5740 4520 qjfmnzhratp.exe 119 PID 6140 wrote to memory of 6072 6140 cmd.exe 124 PID 6140 wrote to memory of 6072 6140 cmd.exe 124 PID 6140 wrote to memory of 6072 6140 cmd.exe 124 PID 2756 wrote to memory of 2780 2756 cmd.exe 127 PID 2756 wrote to memory of 2780 2756 cmd.exe 127 PID 2756 wrote to memory of 2780 2756 cmd.exe 127 PID 2444 wrote to memory of 5728 2444 cmd.exe 130 PID 2444 wrote to memory of 5728 2444 cmd.exe 130 PID 2444 wrote to memory of 5728 2444 cmd.exe 130 PID 2080 wrote to memory of 5680 2080 cmd.exe 315 PID 2080 wrote to memory of 5680 2080 cmd.exe 315 PID 2080 wrote to memory of 5680 2080 cmd.exe 315 PID 5728 wrote to memory of 1336 5728 wpbofzqbrizxykqh.exe 304 PID 5728 wrote to memory of 1336 5728 wpbofzqbrizxykqh.exe 304 PID 5728 wrote to memory of 1336 5728 wpbofzqbrizxykqh.exe 304 PID 1496 wrote to memory of 184 1496 cmd.exe 139 PID 1496 wrote to memory of 184 1496 cmd.exe 139 PID 1496 wrote to memory of 184 1496 cmd.exe 139 PID 5680 wrote to memory of 3436 5680 zxogcbxnieadjalhztnlc.exe 217 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xhkowhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xhkowhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b19410583c5cac21e5066dee43513859.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b19410583c5cac21e5066dee43513859.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b19410583c5cac21e5066dee43513859.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\xhkowhp.exe"C:\Users\Admin\AppData\Local\Temp\xhkowhp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_b19410583c5cac21e5066dee43513859.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3704
-
-
C:\Users\Admin\AppData\Local\Temp\xhkowhp.exe"C:\Users\Admin\AppData\Local\Temp\xhkowhp.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_b19410583c5cac21e5066dee43513859.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5236 -
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5356 -
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵
- Executes dropped EXE
PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵
- Executes dropped EXE
PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵
- Executes dropped EXE
PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵
- Executes dropped EXE
PID:2780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵
- Executes dropped EXE
PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵
- Executes dropped EXE
PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
PID:184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:2188
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:2476
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵
- Executes dropped EXE
PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:1196
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵
- Executes dropped EXE
PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵
- Executes dropped EXE
PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵
- Executes dropped EXE
PID:6116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵
- Executes dropped EXE
PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:3740
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵
- Executes dropped EXE
PID:2388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:872
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5940
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵
- Executes dropped EXE
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:3192
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
PID:324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Executes dropped EXE
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵
- Executes dropped EXE
PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵
- Executes dropped EXE
PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:1972
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵
- Executes dropped EXE
PID:5884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:5956
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Executes dropped EXE
PID:976 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵
- Executes dropped EXE
PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:1888
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:4948
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵
- Executes dropped EXE
PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:3008
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:3436
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵
- Executes dropped EXE
PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵
- Executes dropped EXE
PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:3204
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Executes dropped EXE
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:2184
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:4540
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:100
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:1840
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:1284
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:216 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4544
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4664
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5576
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1148
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:112
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5728
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:552
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5640
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5808
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4080
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5744
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:5212
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe"4⤵PID:4340
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:5148
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵
- System Location Discovery: System Language Discovery
PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:1460
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:4352
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:4836
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:2444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe1⤵PID:5640
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe .1⤵PID:1052
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vsgdvtlepjefjyhbrjz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:5484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5680
-
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe1⤵PID:2236
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kgtpgdumwpjjmaibqh.exe .1⤵PID:5556
-
C:\Windows\kgtpgdumwpjjmaibqh.exekgtpgdumwpjjmaibqh.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\kgtpgdumwpjjmaibqh.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe2⤵
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .2⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\uoztidsiqhzxykqh.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:2676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5432
-
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe1⤵PID:3856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe2⤵
- System Location Discovery: System Language Discovery
PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\uoztidsiqhzxykqh.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:4780
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:2576
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:1940
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:2532
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:2292
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵
- Checks computer location settings
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:6132
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:5060
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:3944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe1⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2472
-
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe2⤵
- System Location Discovery: System Language Discovery
PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe .1⤵PID:5464
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe .2⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xwmlffzuhdadjalhztlka.exe*."3⤵PID:3292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe1⤵PID:4772
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe .1⤵PID:5784
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe .2⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xwmlffzuhdadjalhztlka.exe*."3⤵PID:5492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:3212
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\igvtmleykfbdiyidunec.exe*."3⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:4036
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exeC:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:4804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4012
-
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .1⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:1952
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:2592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
PID:6084 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:2252
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:2296
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5628
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:184
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:5780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:2444
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:5508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2476
-
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5152
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:5812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:2188
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:4288
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:4424
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:2036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:764
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:4144
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:836
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:6116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4736
-
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:5656
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- Checks computer location settings
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:5116
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:2556
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:1220
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:5964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:3556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5232
-
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:5148
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:2636
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:2868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:456 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:3692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
PID:184 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:1404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:1148
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:2924
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:5220
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:3804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:4724
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵
- Checks computer location settings
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:5344
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:8
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:4592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1624
-
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:5956
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:1376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:4668
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:2300
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:5636
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:5676
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:4036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kgtpgdumwpjjmaibqh.exe1⤵PID:2596
-
C:\Windows\kgtpgdumwpjjmaibqh.exekgtpgdumwpjjmaibqh.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe .1⤵PID:4540
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kgtpgdumwpjjmaibqh.exe1⤵PID:2428
-
C:\Windows\kgtpgdumwpjjmaibqh.exekgtpgdumwpjjmaibqh.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe .1⤵PID:1048
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe .2⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bwidtpfwfxqpreldr.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .1⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .2⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\uoztidsiqhzxykqh.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe .1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bwidtpfwfxqpreldr.exe*."3⤵PID:1980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:4592
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:4364
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5340
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:388
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:4972
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:5488
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:3540
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:4792
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5796
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:244
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:1180
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:4516
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:5572
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:3932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1624
-
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:6072
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:3528
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:32
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:3520
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:400
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:4380
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:3468
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:4376
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:2096
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:2428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5220
-
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:6084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:1840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:64
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:5012
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:1748
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:5440
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:1340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:348
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:3520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:1148
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:4572
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:3732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:4492
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uoztidsiqhzxykqh.exe1⤵PID:5388
-
C:\Windows\uoztidsiqhzxykqh.exeuoztidsiqhzxykqh.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe .1⤵PID:4852
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe .2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:5220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe1⤵PID:2404
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe .1⤵PID:5348
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe .2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bwidtpfwfxqpreldr.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:1840
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .1⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .2⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\kgtpgdumwpjjmaibqh.exe*."3⤵PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:2652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4216
-
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:1780
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .2⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\kgtpgdumwpjjmaibqh.exe*."3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:5212
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:3516
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:224
-
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:1284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4780
-
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:3584
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:5196
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:3096
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3964
-
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:1576
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:4340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:5316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:5520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:6116
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:2540
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:5752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5496
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:3844
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:5056
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:184
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:456
-
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:5396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:3400
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:6072
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:5316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:1068
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:392
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:3824
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:4804
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:1800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:2992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:884
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:6132
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:2488
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:1184
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:1368
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:3316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5732
-
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:684
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:1716
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:3976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:4940
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe1⤵PID:4136
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:624
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe .1⤵PID:5372
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe .2⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\igvtmleykfbdiyidunec.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:4340
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe1⤵PID:1856
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe2⤵PID:556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:2228
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe .1⤵PID:4668
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\igvtmleykfbdiyidunec.exe*."3⤵PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .2⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:2840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe .1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exeC:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xwmlffzuhdadjalhztlka.exe*."3⤵PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:1972
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:4912
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5932
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:3272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:536
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\khxojhcrlgbdiyidungd.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe1⤵PID:4308
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:2392
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:3728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:2696
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:2496
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:4676
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:4884
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:5356
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:4276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:2520
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe1⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\mhvkdzsfxqjjmaibqh.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe1⤵PID:5056
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe1⤵PID:5532
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe .1⤵PID:4816
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe .2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xtiyspjxqkefjyhbrjb.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe .1⤵PID:3468
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe .2⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\khxojhcrlgbdiyidungd.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe1⤵PID:3516
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe2⤵PID:5432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wpbofzqbrizxykqh.exe .1⤵PID:2560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3944
-
-
C:\Windows\wpbofzqbrizxykqh.exewpbofzqbrizxykqh.exe .2⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wpbofzqbrizxykqh.exe*."3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:4972
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dxkyqldpgyqpreldr.exe .1⤵PID:5388
-
C:\Windows\dxkyqldpgyqpreldr.exedxkyqldpgyqpreldr.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\dxkyqldpgyqpreldr.exe*."3⤵PID:2896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exeC:\Users\Admin\AppData\Local\Temp\xtiyspjxqkefjyhbrjb.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zxogcbxnieadjalhztnlc.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe1⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:3784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c khxojhcrlgbdiyidungd.exe1⤵PID:2924
-
C:\Windows\khxojhcrlgbdiyidungd.exekhxojhcrlgbdiyidungd.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .1⤵PID:5868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exeC:\Users\Admin\AppData\Local\Temp\dxkyqldpgyqpreldr.exe .2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\dxkyqldpgyqpreldr.exe*."3⤵PID:5728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhvkdzsfxqjjmaibqh.exe .1⤵PID:740
-
C:\Windows\mhvkdzsfxqjjmaibqh.exemhvkdzsfxqjjmaibqh.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mhvkdzsfxqjjmaibqh.exe*."3⤵PID:32
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xtiyspjxqkefjyhbrjb.exe1⤵PID:3416
-
C:\Windows\xtiyspjxqkefjyhbrjb.exextiyspjxqkefjyhbrjb.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zxogcbxnieadjalhztnlc.exe .1⤵PID:2596
-
C:\Windows\zxogcbxnieadjalhztnlc.exezxogcbxnieadjalhztnlc.exe .2⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zxogcbxnieadjalhztnlc.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exeC:\Users\Admin\AppData\Local\Temp\wpbofzqbrizxykqh.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wpbofzqbrizxykqh.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exeC:\Users\Admin\AppData\Local\Temp\khxojhcrlgbdiyidungd.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .1⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exeC:\Users\Admin\AppData\Local\Temp\zxogcbxnieadjalhztnlc.exe .2⤵PID:5412
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD55a1c910726f1feaf6aac00be29cd6be7
SHA17a96b607d34b88c7402c4a8090e8d25fd352430c
SHA256b0e93fd0131351d31515c193fe2e1d9d18411ccdf206f85566b0b124f2c86fe2
SHA5126981581ee2b3398a5950e36176b0fcfe045c2108aa8104a99649af3d3d0be2cd0c3ac43413548f23a1017dabdc5f48152b8e55a2dfa79501b570a2a747b75167
-
Filesize
120B
MD55930b52604f8ad818aa84109c3b56923
SHA11e422ff0dd98d1f7ee599a7a95976f8cba0ea8c4
SHA25694ef414bb89d575218fbbd4b177ca956dbfc496499f78e49eb4faebcde1880f8
SHA5124fab6c669c5bf855889cc0bbdc4d78848e548b13895b693ba30d76b6394779acb97cb404525fa60c52d96643bcfa1ff058d1e3b03f0529ecd061a94197672c6d
-
Filesize
120B
MD5fb6c00763badea15aa679ec6d2fbc505
SHA160df274d36e1005799c29aa7ee60ece9e06dab14
SHA256438177aa404b1adcdc494be7d115e624e8fa55a17a0626ca9a14b3ccee317636
SHA512a804f6979731a99fe8cde2166367f8fefca74ba576c7f5d7e8a5b2e4aa0b927d48d2fb10b14d4464bdb055f1d048e5f3f6302a97fd445a6e5354e33a3a2bde71
-
Filesize
120B
MD50f265654cce096d5a7710f11ddbb75e7
SHA18d8c3c2547136a25f261758a638c99fc7e513ddd
SHA256d35f85ff6f50bd3782e1ddd4c095c425d8bb9b597aa025b943157b332b92fdd0
SHA51247a40815393fa17a2f00106fc2df9f86fa5eef234108971de9b8a47fc3b66fbb8c8a078e1efb2a9caf33d0c8f6415236642a874435ffc37c65eb2ba48486c80f
-
Filesize
120B
MD50910031ab177413b18f1f45fbe2c7a4d
SHA1f42970171f047e6224829b2f9435982a6b2a542f
SHA256510a0975a5ee828513d69ada93e0b8f42c0e5e5afdc0b07f8a2dd1dd05048bb2
SHA512b9ff7887cbff55771b01c07d9c95e257e9c1620c99341ca746f5eb6d4a25456782fff324ee4fd901fface40b132fde2812e43e15fea7f54ef072a6ac132f2c50
-
Filesize
120B
MD5360c8e9be904d9aea8642554b247f2b0
SHA17dbb4b1b7dc01c6ad839b863952fe9974a59f253
SHA2563953df9da7727c3ba226db61c39a04821040993832e11ff4dae9819b9ad95bfe
SHA5127e2d283de1060b8ce17e1148491763cc8fa333afa734a5d2e4cb9f8c67622c20e54466dd241b1a114dd81c9ddc489b721ab70c065bb76af5742d04f9e2cb45d8
-
Filesize
308KB
MD585cb856b920e7b0b7b75115336fc2af2
SHA11d1a207efec2f5187583b652c35aef74ee4c473f
SHA2566fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8
-
Filesize
676KB
MD57fa45da35a4539fc49779fb80ce640fe
SHA1ffca0bc52006e6833571510b38106d58e180b26e
SHA256ff70a387540245caee3ba339fb5fa5ea4ed89a9efa522bfd26e9bf38413ea3f5
SHA512bb96916b04addd58d125792ca46e2b4821e98c03148285a0a07a209a6524088af41b44ba2b4f8cc0ab6beb60734beb72804cebb0aecfa91345e8e18f8382fa18
-
Filesize
120B
MD54aa2d6f69896352d0c7d99703b8d477d
SHA1eab2982e91c11fdbcb20129baf15a86b0c4a6fcf
SHA256d74820962239e677fa43b31ad88b88b0d559e0764b58cc2f06976e3b5613990c
SHA5122494d4a5a72814d176da2beddd67d1b2cf0181ff85e6a5a0bf21c8c4c22c1289c60887f30d608d0462b344ac614ed324db56f7a4f9b014f4e1cdae91aedde09b
-
Filesize
3KB
MD54c2cfe8ece9fe362153ac7543bbb7519
SHA1116db93440d1180c9da15dd0f2fe68846362dc4e
SHA256238180d34f131a807ab279183caded384f71fd4d03b2583517b75c89fc043318
SHA512222a16599b5f49e4462325fe17a492f9857a85cc04e969221e20206c883479e7effaf085fbc6b10d87335a2e6af706932dc27f22333159391213b904d6fb74c0
-
Filesize
500KB
MD5b19410583c5cac21e5066dee43513859
SHA15a1f933d7ce3a7d5b2001051e4dad32ac0bfeb35
SHA256226da79bd298b6c72453572e2f34a1b40e19db0c51e10197ac00daf0d499b770
SHA512c98e8ebcdeeb687d95d20be83d4a7c344c900c6a56fc508d9f4f42789e8dcd35d2c2ea8a142bdfc9da07db382f069b2d41a2bbf6bcf0b7b9a1e24ee3c0bc814c