Analysis
-
max time kernel
39s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe
-
Size
492KB
-
MD5
b28fa6555cafc95802f3ddea94c609ce
-
SHA1
cc96fa61ef893dc781267ebba3bfa90218e6dcba
-
SHA256
13e8f8cf343f9c910a2a465fbfb2504a07fb9224bfad739ab6d70ce8c70681b6
-
SHA512
3c5f8d99aa01ab45ea0e5673c0bd593352d446c28cf40e51a3cc77e54a54d197a8e5b8d78cd8df212f16a819a4a067eb987c4cf30a49361e72d39340edc914ba
-
SSDEEP
6144:tIX6L0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:tIX6gtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00060000000230bb-4.dat family_pykspa behavioral1/files/0x00160000000240ad-102.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 58 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "mivpoefvshjoeojatokx.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "oitliwvjerruiqjypi.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\istdit = "igvtmleykfbdiyidunec.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtpgdumwpjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "yqzpkwtfyjhiuare.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "yqzpkwtfyjhiuare.exe" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oitliwvjerruiqjypi.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oyzhuynr = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\biglv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe -
Disables RegEdit via registry modification 19 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yqzpkwtfyjhiuare.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation oitliwvjerruiqjypi.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation zugzxmmbxlmqfoiyqkf.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation fyizvigtnzyanumaq.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation mivpoefvshjoeojatokx.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation bymhhyarpfiofqmeyurfa.exe -
Executes dropped EXE 64 IoCs
pid Process 4508 qjfmnzhratp.exe 4648 yqzpkwtfyjhiuare.exe 5704 bymhhyarpfiofqmeyurfa.exe 5756 qjfmnzhratp.exe 4392 bymhhyarpfiofqmeyurfa.exe 1416 yqzpkwtfyjhiuare.exe 2976 yqzpkwtfyjhiuare.exe 5176 fyizvigtnzyanumaq.exe 5732 qjfmnzhratp.exe 5912 qjfmnzhratp.exe 1628 oitliwvjerruiqjypi.exe 5660 fyizvigtnzyanumaq.exe 2776 qjfmnzhratp.exe 3472 mutzkm.exe 6048 mutzkm.exe 1720 fyizvigtnzyanumaq.exe 1088 fyizvigtnzyanumaq.exe 5044 fyizvigtnzyanumaq.exe 5712 fyizvigtnzyanumaq.exe 2028 qjfmnzhratp.exe 396 qjfmnzhratp.exe 5628 mivpoefvshjoeojatokx.exe 2584 bymhhyarpfiofqmeyurfa.exe 5484 bymhhyarpfiofqmeyurfa.exe 1912 fyizvigtnzyanumaq.exe 2012 mivpoefvshjoeojatokx.exe 4304 bymhhyarpfiofqmeyurfa.exe 516 fyizvigtnzyanumaq.exe 4424 bymhhyarpfiofqmeyurfa.exe 5372 qjfmnzhratp.exe 5756 qjfmnzhratp.exe 2852 qjfmnzhratp.exe 4616 qjfmnzhratp.exe 3568 fyizvigtnzyanumaq.exe 4116 fyizvigtnzyanumaq.exe 4772 fyizvigtnzyanumaq.exe 2960 fyizvigtnzyanumaq.exe 4544 qjfmnzhratp.exe 3480 qjfmnzhratp.exe 5380 bymhhyarpfiofqmeyurfa.exe 5868 zugzxmmbxlmqfoiyqkf.exe 3740 qjfmnzhratp.exe 2644 mivpoefvshjoeojatokx.exe 5428 oitliwvjerruiqjypi.exe 8 zugzxmmbxlmqfoiyqkf.exe 1888 qjfmnzhratp.exe 2380 oitliwvjerruiqjypi.exe 2468 qjfmnzhratp.exe 1644 fyizvigtnzyanumaq.exe 688 bymhhyarpfiofqmeyurfa.exe 1356 qjfmnzhratp.exe 100 bymhhyarpfiofqmeyurfa.exe 1780 zugzxmmbxlmqfoiyqkf.exe 4532 oitliwvjerruiqjypi.exe 2668 fyizvigtnzyanumaq.exe 4764 zugzxmmbxlmqfoiyqkf.exe 2144 qjfmnzhratp.exe 5196 zugzxmmbxlmqfoiyqkf.exe 2032 qjfmnzhratp.exe 4740 fyizvigtnzyanumaq.exe 4720 bymhhyarpfiofqmeyurfa.exe 5908 qjfmnzhratp.exe 6128 oitliwvjerruiqjypi.exe 1960 qjfmnzhratp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mutzkm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mutzkm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mutzkm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mutzkm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mutzkm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mutzkm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oitliwvjerruiqjypi.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "yqzpkwtfyjhiuare.exe" mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "oitliwvjerruiqjypi.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "oitliwvjerruiqjypi.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "yqzpkwtfyjhiuare.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "fyizvigtnzyanumaq.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "yqzpkwtfyjhiuare.exe" mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "bymhhyarpfiofqmeyurfa.exe" mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqzpkwtfyjhiuare.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "zugzxmmbxlmqfoiyqkf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "fyizvigtnzyanumaq.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "fyizvigtnzyanumaq.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqzpkwtfyjhiuare.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "zugzxmmbxlmqfoiyqkf.exe" mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "mivpoefvshjoeojatokx.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "mivpoefvshjoeojatokx.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qejvmunvkrli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "yqzpkwtfyjhiuare.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "zugzxmmbxlmqfoiyqkf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqsbpukpb = "fyizvigtnzyanumaq.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "mivpoefvshjoeojatokx.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qejvmunvkrli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mivpoefvshjoeojatokx.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qejvmunvkrli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mutzkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fyizvigtnzyanumaq.exe" mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "oitliwvjerruiqjypi.exe ." mutzkm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "zugzxmmbxlmqfoiyqkf.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "oitliwvjerruiqjypi.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgkvlskrfle = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zugzxmmbxlmqfoiyqkf.exe ." mutzkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mutzkm = "oitliwvjerruiqjypi.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yknxmsjpch = "fyizvigtnzyanumaq.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ziipbes = "bymhhyarpfiofqmeyurfa.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qejvmunvkrli = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqzpkwtfyjhiuare.exe" qjfmnzhratp.exe -
Checks whether UAC is enabled 1 TTPs 36 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mutzkm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mutzkm.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 www.showmyipaddress.com 23 www.whatismyip.ca 28 www.whatismyip.ca 34 www.whatismyip.ca 37 whatismyipaddress.com 40 www.whatismyip.ca 54 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zugzxmmbxlmqfoiyqkf.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe mutzkm.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qgnbuezjajfeoshsfukrfyidnenjiswlwjyo.jcm mutzkm.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\oitliwvjerruiqjypi.exe qjfmnzhratp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\lqmpxwgfljuihaeegkplowvfe.ith mutzkm.exe File created C:\Program Files (x86)\lqmpxwgfljuihaeegkplowvfe.ith mutzkm.exe File opened for modification C:\Program Files (x86)\qgnbuezjajfeoshsfukrfyidnenjiswlwjyo.jcm mutzkm.exe File created C:\Program Files (x86)\qgnbuezjajfeoshsfukrfyidnenjiswlwjyo.jcm mutzkm.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe mutzkm.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe mutzkm.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe mutzkm.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe mutzkm.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\yqzpkwtfyjhiuare.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe mutzkm.exe File created C:\Windows\qgnbuezjajfeoshsfukrfyidnenjiswlwjyo.jcm mutzkm.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe qjfmnzhratp.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe mutzkm.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe mutzkm.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe mutzkm.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe File opened for modification C:\Windows\sqfbcuxpofjqiurkfcaplm.exe qjfmnzhratp.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\oitliwvjerruiqjypi.exe mutzkm.exe File opened for modification C:\Windows\mivpoefvshjoeojatokx.exe mutzkm.exe File opened for modification C:\Windows\fyizvigtnzyanumaq.exe qjfmnzhratp.exe File opened for modification C:\Windows\zugzxmmbxlmqfoiyqkf.exe qjfmnzhratp.exe File opened for modification C:\Windows\bymhhyarpfiofqmeyurfa.exe qjfmnzhratp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mutzkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zugzxmmbxlmqfoiyqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yqzpkwtfyjhiuare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bymhhyarpfiofqmeyurfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mivpoefvshjoeojatokx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsgdvtlepjefjyhbrjz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fyizvigtnzyanumaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oitliwvjerruiqjypi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 3472 mutzkm.exe 3472 mutzkm.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 3472 mutzkm.exe 3472 mutzkm.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3472 mutzkm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 4508 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 87 PID 4100 wrote to memory of 4508 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 87 PID 4100 wrote to memory of 4508 4100 JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe 87 PID 2300 wrote to memory of 4648 2300 cmd.exe 90 PID 2300 wrote to memory of 4648 2300 cmd.exe 90 PID 2300 wrote to memory of 4648 2300 cmd.exe 90 PID 2148 wrote to memory of 5704 2148 cmd.exe 93 PID 2148 wrote to memory of 5704 2148 cmd.exe 93 PID 2148 wrote to memory of 5704 2148 cmd.exe 93 PID 5704 wrote to memory of 5756 5704 bymhhyarpfiofqmeyurfa.exe 96 PID 5704 wrote to memory of 5756 5704 bymhhyarpfiofqmeyurfa.exe 96 PID 5704 wrote to memory of 5756 5704 bymhhyarpfiofqmeyurfa.exe 96 PID 5132 wrote to memory of 4392 5132 cmd.exe 99 PID 5132 wrote to memory of 4392 5132 cmd.exe 99 PID 5132 wrote to memory of 4392 5132 cmd.exe 99 PID 5988 wrote to memory of 1416 5988 cmd.exe 102 PID 5988 wrote to memory of 1416 5988 cmd.exe 102 PID 5988 wrote to memory of 1416 5988 cmd.exe 102 PID 1536 wrote to memory of 2976 1536 cmd.exe 105 PID 1536 wrote to memory of 2976 1536 cmd.exe 105 PID 1536 wrote to memory of 2976 1536 cmd.exe 105 PID 3092 wrote to memory of 5176 3092 cmd.exe 106 PID 3092 wrote to memory of 5176 3092 cmd.exe 106 PID 3092 wrote to memory of 5176 3092 cmd.exe 106 PID 1416 wrote to memory of 5732 1416 yqzpkwtfyjhiuare.exe 107 PID 1416 wrote to memory of 5732 1416 yqzpkwtfyjhiuare.exe 107 PID 1416 wrote to memory of 5732 1416 yqzpkwtfyjhiuare.exe 107 PID 5176 wrote to memory of 5912 5176 fyizvigtnzyanumaq.exe 108 PID 5176 wrote to memory of 5912 5176 fyizvigtnzyanumaq.exe 108 PID 5176 wrote to memory of 5912 5176 fyizvigtnzyanumaq.exe 108 PID 116 wrote to memory of 1628 116 cmd.exe 114 PID 116 wrote to memory of 1628 116 cmd.exe 114 PID 116 wrote to memory of 1628 116 cmd.exe 114 PID 5208 wrote to memory of 5660 5208 cmd.exe 115 PID 5208 wrote to memory of 5660 5208 cmd.exe 115 PID 5208 wrote to memory of 5660 5208 cmd.exe 115 PID 5660 wrote to memory of 2776 5660 fyizvigtnzyanumaq.exe 277 PID 5660 wrote to memory of 2776 5660 fyizvigtnzyanumaq.exe 277 PID 5660 wrote to memory of 2776 5660 fyizvigtnzyanumaq.exe 277 PID 4508 wrote to memory of 3472 4508 qjfmnzhratp.exe 117 PID 4508 wrote to memory of 3472 4508 qjfmnzhratp.exe 117 PID 4508 wrote to memory of 3472 4508 qjfmnzhratp.exe 117 PID 4508 wrote to memory of 6048 4508 qjfmnzhratp.exe 118 PID 4508 wrote to memory of 6048 4508 qjfmnzhratp.exe 118 PID 4508 wrote to memory of 6048 4508 qjfmnzhratp.exe 118 PID 4244 wrote to memory of 1720 4244 cmd.exe 204 PID 4244 wrote to memory of 1720 4244 cmd.exe 204 PID 4244 wrote to memory of 1720 4244 cmd.exe 204 PID 3156 wrote to memory of 1088 3156 cmd.exe 124 PID 3156 wrote to memory of 1088 3156 cmd.exe 124 PID 3156 wrote to memory of 1088 3156 cmd.exe 124 PID 2916 wrote to memory of 5044 2916 cmd.exe 129 PID 2916 wrote to memory of 5044 2916 cmd.exe 129 PID 2916 wrote to memory of 5044 2916 cmd.exe 129 PID 2668 wrote to memory of 5712 2668 cmd.exe 300 PID 2668 wrote to memory of 5712 2668 cmd.exe 300 PID 2668 wrote to memory of 5712 2668 cmd.exe 300 PID 5044 wrote to memory of 396 5044 fyizvigtnzyanumaq.exe 143 PID 5044 wrote to memory of 396 5044 fyizvigtnzyanumaq.exe 143 PID 5044 wrote to memory of 396 5044 fyizvigtnzyanumaq.exe 143 PID 5712 wrote to memory of 2028 5712 fyizvigtnzyanumaq.exe 144 PID 5712 wrote to memory of 2028 5712 fyizvigtnzyanumaq.exe 144 PID 5712 wrote to memory of 2028 5712 fyizvigtnzyanumaq.exe 144 PID 2224 wrote to memory of 5628 2224 cmd.exe 218 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mutzkm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mutzkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mutzkm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b28fa6555cafc95802f3ddea94c609ce.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b28fa6555cafc95802f3ddea94c609ce.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\mutzkm.exe"C:\Users\Admin\AppData\Local\Temp\mutzkm.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_b28fa6555cafc95802f3ddea94c609ce.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\mutzkm.exe"C:\Users\Admin\AppData\Local\Temp\mutzkm.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_b28fa6555cafc95802f3ddea94c609ce.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Executes dropped EXE
PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵
- Executes dropped EXE
PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5176 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5660 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5712 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:5588
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵
- Executes dropped EXE
PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:896
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:516 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:2368
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵
- Executes dropped EXE
PID:5484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵
- Executes dropped EXE
PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Executes dropped EXE
PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵
- Executes dropped EXE
PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:3480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:6100
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵
- Executes dropped EXE
PID:5380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:5960
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵
- Executes dropped EXE
PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:5708
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:1516
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵
- Executes dropped EXE
PID:1888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵
- Executes dropped EXE
PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵
- Executes dropped EXE
PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵
- Executes dropped EXE
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:688 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:1720
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵
- Executes dropped EXE
PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:436
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:5776
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:6020
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:2620
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵
- Executes dropped EXE
PID:2032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:5628
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Executes dropped EXE
PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:5340
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵
- Executes dropped EXE
PID:5196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:3820
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵
- Executes dropped EXE
PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:5824
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Executes dropped EXE
PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:4620
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:4660
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:4664
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:1728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:932 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:1240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:2860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:3832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:524
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:1420
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:5808
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:3340
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:112 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:3828
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:5132
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:5584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1356
-
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2760
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:840 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:6136
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:116
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:3644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3468
-
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:3024
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
PID:5732 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:3376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:1240
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:1204
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:4308
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:3408
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:100
-
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:428 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:2504
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:1312
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:3420
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:4700
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6128
-
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
PID:684 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:2612
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:4116
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:3568
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:8
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:1128
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:1392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:6096
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:5300
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:5180
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:5236
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:5136
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:3044
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5604
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:872
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:6020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:5876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:4764
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:432
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:4620
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5528
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:5912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:3784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:3516
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2436
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:184
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:1264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:4324
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:3500
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4816
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:3780
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:6100
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:3836
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:4128
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵
- Checks computer location settings
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:4660
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:5960
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:2072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:3484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4028
-
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:4632
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵
- Checks computer location settings
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:4308
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:3376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:3732
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:6012
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5708
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:6128
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5380
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5588
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:6084
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5624
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:4316
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5536
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5648
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe"C:\Users\Admin\AppData\Local\Temp\vgitzlr.exe" "-c:\windows\fyizvigtnzyanumaq.exe"4⤵PID:4720
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe1⤵PID:1240
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe2⤵PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe .1⤵PID:5744
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bwidtpfwfxqpreldr.exe*."3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe1⤵PID:1884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4296
-
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe .1⤵PID:2384
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe .2⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bwidtpfwfxqpreldr.exe*."3⤵PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵
- System Location Discovery: System Language Discovery
PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:3116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe .2⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\kgtpgdumwpjjmaibqh.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:440
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:4304
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe .1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exeC:\Users\Admin\AppData\Local\Temp\xwmlffzuhdadjalhztlka.exe .2⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\xwmlffzuhdadjalhztlka.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:548
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:5384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:3804
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:2096
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:4080
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:1488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4484
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:2088
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:4568
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:3620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:3540
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:932
-
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:1720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:2676
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:2872
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:5840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:3036
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:1312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:3628
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:2716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe1⤵PID:4284
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uoztidsiqhzxykqh.exe .1⤵PID:5952
-
C:\Windows\uoztidsiqhzxykqh.exeuoztidsiqhzxykqh.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\uoztidsiqhzxykqh.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kgtpgdumwpjjmaibqh.exe1⤵PID:220
-
C:\Windows\kgtpgdumwpjjmaibqh.exekgtpgdumwpjjmaibqh.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kgtpgdumwpjjmaibqh.exe .1⤵PID:1064
-
C:\Windows\kgtpgdumwpjjmaibqh.exekgtpgdumwpjjmaibqh.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\kgtpgdumwpjjmaibqh.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe1⤵PID:6124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\kgtpgdumwpjjmaibqh.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .2⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\igvtmleykfbdiyidunec.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:3620
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:3224
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .2⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:4080
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4132
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:3140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:5896
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:5656
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:5768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5600
-
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:4480
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5544
-
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:1368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:5760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:1588
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:1476
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:4444
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:6140
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2420
-
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:1312
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:4232
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2508
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:5776
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4068
-
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:4116
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:4648
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:3860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5912
-
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:5472
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:6044
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:5176
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:4584
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5772
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5908
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:5564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4280
-
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:4080
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:2440
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:3676
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5960
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:1412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4836
-
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:3140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5180
-
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:5380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:2028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:2772
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:1812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe1⤵PID:4072
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe2⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:6124
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe .1⤵PID:2364
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\igvtmleykfbdiyidunec.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:1296
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xwmlffzuhdadjalhztlka.exe1⤵PID:4692
-
C:\Windows\xwmlffzuhdadjalhztlka.exexwmlffzuhdadjalhztlka.exe2⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:3608
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe .1⤵PID:5348
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\igvtmleykfbdiyidunec.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exeC:\Users\Admin\AppData\Local\Temp\bwidtpfwfxqpreldr.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .2⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\igvtmleykfbdiyidunec.exe*."3⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exeC:\Users\Admin\AppData\Local\Temp\igvtmleykfbdiyidunec.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\igvtmleykfbdiyidunec.exe*."3⤵PID:4448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:6136
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:4116
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:3368
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:4576
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:4024
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:5252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe1⤵PID:4832
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:5020
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .2⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yqzpkwtfyjhiuare.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:3556
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:952
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:1608
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:5608
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe1⤵PID:3304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe1⤵PID:4176
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:3828
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:3624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:6132
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:3816
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:3632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:524
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:4648
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:1632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1264
-
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe1⤵PID:3036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2708
-
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe2⤵PID:5156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2488
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:5276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:3172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:1268
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:184
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:1476
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:4568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe .1⤵PID:1516
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe .2⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yqzpkwtfyjhiuare.exe*."3⤵PID:4236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:2540
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:232
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:2620
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:1528
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:1576
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:3460
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:1652
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:5380
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\oitliwvjerruiqjypi.exe*."3⤵PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:5768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\fyizvigtnzyanumaq.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c igvtmleykfbdiyidunec.exe1⤵PID:5520
-
C:\Windows\igvtmleykfbdiyidunec.exeigvtmleykfbdiyidunec.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uoztidsiqhzxykqh.exe .1⤵PID:4272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5572
-
-
C:\Windows\uoztidsiqhzxykqh.exeuoztidsiqhzxykqh.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\uoztidsiqhzxykqh.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exeC:\Users\Admin\AppData\Local\Temp\mivpoefvshjoeojatokx.exe .2⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\mivpoefvshjoeojatokx.exe*."3⤵PID:5368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vsgdvtlepjefjyhbrjz.exe1⤵PID:3420
-
C:\Windows\vsgdvtlepjefjyhbrjz.exevsgdvtlepjefjyhbrjz.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bwidtpfwfxqpreldr.exe .1⤵PID:1780
-
C:\Windows\bwidtpfwfxqpreldr.exebwidtpfwfxqpreldr.exe .2⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bwidtpfwfxqpreldr.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe .2⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vsgdvtlepjefjyhbrjz.exe*."3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exeC:\Users\Admin\AppData\Local\Temp\vsgdvtlepjefjyhbrjz.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:5772
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exeC:\Users\Admin\AppData\Local\Temp\uoztidsiqhzxykqh.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\uoztidsiqhzxykqh.exe*."3⤵PID:3448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:64
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:2620
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fyizvigtnzyanumaq.exe .1⤵PID:2100
-
C:\Windows\fyizvigtnzyanumaq.exefyizvigtnzyanumaq.exe .2⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\fyizvigtnzyanumaq.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exeC:\Users\Admin\AppData\Local\Temp\bymhhyarpfiofqmeyurfa.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe1⤵PID:3444
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe .1⤵PID:624
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\mivpoefvshjoeojatokx.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:456
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zugzxmmbxlmqfoiyqkf.exe .1⤵PID:4924
-
C:\Windows\zugzxmmbxlmqfoiyqkf.exezugzxmmbxlmqfoiyqkf.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe1⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exeC:\Users\Admin\AppData\Local\Temp\zugzxmmbxlmqfoiyqkf.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\zugzxmmbxlmqfoiyqkf.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exeC:\Users\Admin\AppData\Local\Temp\fyizvigtnzyanumaq.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exeC:\Users\Admin\AppData\Local\Temp\oitliwvjerruiqjypi.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\oitliwvjerruiqjypi.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mivpoefvshjoeojatokx.exe1⤵PID:3940
-
C:\Windows\mivpoefvshjoeojatokx.exemivpoefvshjoeojatokx.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bymhhyarpfiofqmeyurfa.exe .1⤵PID:4768
-
C:\Windows\bymhhyarpfiofqmeyurfa.exebymhhyarpfiofqmeyurfa.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\bymhhyarpfiofqmeyurfa.exe*."3⤵PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yqzpkwtfyjhiuare.exe1⤵PID:1088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5716
-
-
C:\Windows\yqzpkwtfyjhiuare.exeyqzpkwtfyjhiuare.exe2⤵PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oitliwvjerruiqjypi.exe .1⤵PID:2084
-
C:\Windows\oitliwvjerruiqjypi.exeoitliwvjerruiqjypi.exe .2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe1⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exeC:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yqzpkwtfyjhiuare.exe .1⤵PID:944
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD58780ef9c9ba76a5c364379b2db21e619
SHA1e14bd2602d7a48def47a9164aaffd75289b699f5
SHA2565e78889b94a9e4190c6adeda9b1f81dc3a0403ccaf694df377cc552a9a9a90de
SHA51237b6eeff3283925e10a0b8d265d17fea03a98b6b3434fedad115f4b7d1db0791455e3974074e5d9d39d500db5835269678a3825d4099019a94b78976b46e2d95
-
Filesize
280B
MD54828a682beaabcfd5c3184bad1f853ea
SHA1db8177259399ebcb9bfbe3d3ebcc227b35e56038
SHA2565c28a3e4e73cec57c5c05d92f4c7a80179f7475fb9e2384b9a6c7306672699b6
SHA512a07fbedcdc7cd48528275a06844bde96f371166ad0f24a1512419985995d6d56dcddcb735fd3c50b549d61f245d62c6f044151ed673064bffb8d952d3621f47d
-
Filesize
280B
MD57853e2810074349c99dda00aaf1747ba
SHA1d908479eaf139ba2863d31e47670d338c7648ee1
SHA2562904c525c9c08a5d86c2cb007fe264617db8b579fa28b1f626582bcb9c2ff1f4
SHA512b9b2fb9edd7f6519ea64a5d9322cc8e7d0ede0e3182dbbff152f4c4784c14e1ebefeaa9203cfdd4c03c29d52d5675349ea696b18763cedbbd2dd32b48bb3bf46
-
Filesize
280B
MD593a45b7f28d43f53dd9542b6fb363fa4
SHA15ab581825bf77d0f1cb93df326dd4707d1c8f5d3
SHA2561f16f769729188940a57d95a6347475958764cf9a54f01be36ddec644b87ea64
SHA5128a39ca6db99b237a1cbbd5f3f66d16d4597261725a49f3c35a8351cc4188f2ad528ed145bea5bde2603aa342844ec56c75f9e310e78018a36b762efff73a4e85
-
Filesize
280B
MD51242ce12c87d67ce6068e7d20d7caf21
SHA170844034587524768949a59686086ca0b644ed75
SHA256852d7524b4e5494fa512e9fcfe65554f2cfe43da38c1959085712f592e0bac99
SHA51258abec0a9066b26b2c1db1c16196e42fd0f25c075ed1238bc2c01ee837ecef0be8356d68857a4d0056819acc1950e82c1e3e3bc4c00c21ba66a60b98a029b112
-
Filesize
280B
MD51415cd6290e3e3c0965a5871f38b8758
SHA1f550687a4f3f2efc9a614ab396e972c18f9b9506
SHA25639c5530f3d1847ee1b5a9c64f622b6178ae6daf5fb5ddf2b368a143125acfe4d
SHA512ba1169a902ea47e64934e0b8a4bbd732dc913987361eaad2099dab29e3d659d7aaec654cebf520d1cde21fed8e59dabf438bb2b77eb2b0612746464ebdd877a3
-
Filesize
280B
MD57390c4f8710b15acfbd30c6e448595c5
SHA1e8d92eef99573b5842bfb575d42bd77d9a8e85dd
SHA256d7e05e27f2e7ebb242654cd9471bc38b64ee451473dab40c8eed22c2c1dde90f
SHA512d8e6e6e3a5bfca20647f80eb0b90973d763631704f195601ad2cf69daa0a760de921881c37e89ff20e8443ebf99ac101c85d1268c6be0ff634383761c1f7e870
-
Filesize
704KB
MD5590b9b1518554ea41b0f64f799791cb9
SHA10eea56caa1873ca503fdb5ad023b039c9299e4cd
SHA25656f9b8ffea8a8b05a67d454ef8b31e3d22177af93ac0512e5b0475e6129e4fa4
SHA512b0d65e37e8579823ee4ea9f1295fae5376efe4430bab54922ee0b00c49320749eb708df9943eed91979ceecf1160bc3989d495603e343ba1c58d591a253b2cc3
-
Filesize
320KB
MD5752fd8203cbe79e001d17f60bba106be
SHA1f84ff7bc4538cf1b1adbd80385fc079b47dd0aad
SHA2569ea0c5f5e393e2564d8b5da8ef3b93bd1ac6f1d192641029ef2977bc98a356c5
SHA5120f0747346ac2fe8e9ef1bef70c55811dddce773be3f39066e6d5a1c0b6f3f5fb5e177ed0b53848380aeeef76a2e5e51e808389a6eb6273bbe1c801c75c57bf3c
-
Filesize
280B
MD50e257ee6fb0e231f9c39085852210027
SHA1e25cca5c2a01fafa149cad6ef8629f4c449d9a6b
SHA256abcb96576a31c2546c781b7347edd729e8241ae086f980641077c9f08464091e
SHA512a9ff07fbdb71ff84a889854923c877a185ba8286e769f58d6dbf4ab938dbce01956aed30b95351ecbcecc8d6ac8978846b04be1a24805314e9dd42c39fa9289f
-
Filesize
4KB
MD5d6ec95c7d565a2a446282de572b279e7
SHA15de34c19f6db1ac537c5ff23bb3132975371f541
SHA256052467b8c065624a35dcd7cd9e1c32c8ad847e14cddeb109b78470f5b376449b
SHA51224985e7738f0f681f7922536cf392221c04f0a3126ae969bf19f3ae5af8970b3c63922a976a10f5139d1e2a75321435ffa9dc1680649ad27da900a9d2d0cadf8
-
Filesize
492KB
MD5b28fa6555cafc95802f3ddea94c609ce
SHA1cc96fa61ef893dc781267ebba3bfa90218e6dcba
SHA25613e8f8cf343f9c910a2a465fbfb2504a07fb9224bfad739ab6d70ce8c70681b6
SHA5123c5f8d99aa01ab45ea0e5673c0bd593352d446c28cf40e51a3cc77e54a54d197a8e5b8d78cd8df212f16a819a4a067eb987c4cf30a49361e72d39340edc914ba