Analysis
-
max time kernel
47s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe
-
Size
516KB
-
MD5
b2b7b9be91e42f447618c78205cfccb0
-
SHA1
ac38435860734cbcdfff61a917c8e37e27d781a5
-
SHA256
f3cb92699801b3fd4ca75d9e7a09d1b40b0a4591399753c4222c0b6385d8c897
-
SHA512
3d7cab72720c27c80569eab34d9968f34bee41a38efbc9e5d25d40af373b560ba6f7240139d325700389ae0afc53d9c4b40ba69f08a3786f5c32619f37fc4193
-
SSDEEP
12288:3pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsD:3pUNr6YkVRFkgbeqeo68Fhqy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" sdqaokddcna.exe -
Pykspa family
-
UAC bypass 3 TTPs 31 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00070000000229db-4.dat family_pykspa behavioral1/files/0x000b0000000240fd-86.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "oavsccnjypldxojmmt.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "zmigrsebrjgzumimnvd.exe" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqoobesrjdcxuomsvfpec.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\baisp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqbooefr = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation sdqaokddcna.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation oavsccnjypldxojmmt.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation fqkgpoythxsjcsmon.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation bqoobesrjdcxuomsvfpec.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation maxwikxvmfdxtmjoqziw.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation zmigrsebrjgzumimnvd.exe Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation yibweclfshbrjyrs.exe -
Executes dropped EXE 64 IoCs
pid Process 1232 sdqaokddcna.exe 1636 maxwikxvmfdxtmjoqziw.exe 4692 zmigrsebrjgzumimnvd.exe 3248 sdqaokddcna.exe 3772 oavsccnjypldxojmmt.exe 4188 fqkgpoythxsjcsmon.exe 1516 bqoobesrjdcxuomsvfpec.exe 1640 sdqaokddcna.exe 1968 oavsccnjypldxojmmt.exe 4472 sdqaokddcna.exe 2832 fqkgpoythxsjcsmon.exe 5824 bqoobesrjdcxuomsvfpec.exe 5968 sdqaokddcna.exe 6092 zakwvkk.exe 4052 zakwvkk.exe 5100 bqoobesrjdcxuomsvfpec.exe 4844 yibweclfshbrjyrs.exe 5500 bqoobesrjdcxuomsvfpec.exe 5772 fqkgpoythxsjcsmon.exe 2268 sdqaokddcna.exe 1596 sdqaokddcna.exe 4536 bqoobesrjdcxuomsvfpec.exe 4608 bqoobesrjdcxuomsvfpec.exe 2828 fqkgpoythxsjcsmon.exe 912 zmigrsebrjgzumimnvd.exe 2360 sdqaokddcna.exe 5932 bqoobesrjdcxuomsvfpec.exe 4728 sdqaokddcna.exe 4720 maxwikxvmfdxtmjoqziw.exe 1164 zmigrsebrjgzumimnvd.exe 5856 oavsccnjypldxojmmt.exe 1272 sdqaokddcna.exe 5480 sdqaokddcna.exe 5836 yibweclfshbrjyrs.exe 5788 yibweclfshbrjyrs.exe 4264 bqoobesrjdcxuomsvfpec.exe 5328 zmigrsebrjgzumimnvd.exe 2856 sdqaokddcna.exe 3888 sdqaokddcna.exe 2300 fqkgpoythxsjcsmon.exe 4864 fqkgpoythxsjcsmon.exe 372 sdqaokddcna.exe 4868 bqoobesrjdcxuomsvfpec.exe 5568 fqkgpoythxsjcsmon.exe 5160 bqoobesrjdcxuomsvfpec.exe 5216 sdqaokddcna.exe 5664 maxwikxvmfdxtmjoqziw.exe 388 sdqaokddcna.exe 2436 yibweclfshbrjyrs.exe 4696 bqoobesrjdcxuomsvfpec.exe 3964 sdqaokddcna.exe 5872 yibweclfshbrjyrs.exe 4640 oavsccnjypldxojmmt.exe 4812 zmigrsebrjgzumimnvd.exe 4548 sdqaokddcna.exe 5856 yibweclfshbrjyrs.exe 1188 maxwikxvmfdxtmjoqziw.exe 1916 zmigrsebrjgzumimnvd.exe 5836 bqoobesrjdcxuomsvfpec.exe 2020 sdqaokddcna.exe 1540 sdqaokddcna.exe 4908 maxwikxvmfdxtmjoqziw.exe 3376 bqoobesrjdcxuomsvfpec.exe 2364 zmigrsebrjgzumimnvd.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys zakwvkk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc zakwvkk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power zakwvkk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys zakwvkk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc zakwvkk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager zakwvkk.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "zmigrsebrjgzumimnvd.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "oavsccnjypldxojmmt.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "bqoobesrjdcxuomsvfpec.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "zmigrsebrjgzumimnvd.exe ." zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymcfycrzjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "bqoobesrjdcxuomsvfpec.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "fqkgpoythxsjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "zmigrsebrjgzumimnvd.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwlcgafvepfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "maxwikxvmfdxtmjoqziw.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "zmigrsebrjgzumimnvd.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqoobesrjdcxuomsvfpec.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqoobesrjdcxuomsvfpec.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwlcgafvepfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "zmigrsebrjgzumimnvd.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "maxwikxvmfdxtmjoqziw.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwlcgafvepfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymcfycrzjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqkgpoythxsjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymcfycrzjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe ." zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe ." zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "fqkgpoythxsjcsmon.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwlcgafvepfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "yibweclfshbrjyrs.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "maxwikxvmfdxtmjoqziw.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymcfycrzjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maxwikxvmfdxtmjoqziw.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "oavsccnjypldxojmmt.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "zmigrsebrjgzumimnvd.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "maxwikxvmfdxtmjoqziw.exe ." zakwvkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "zmigrsebrjgzumimnvd.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmigrsebrjgzumimnvd.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "maxwikxvmfdxtmjoqziw.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ycpegybpwf = "fqkgpoythxsjcsmon.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiuijacpv = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "yibweclfshbrjyrs.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmvges = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqoobesrjdcxuomsvfpec.exe" zakwvkk.exe Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zakwvkk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yibweclfshbrjyrs.exe ." sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmvges = "bqoobesrjdcxuomsvfpec.exe" sdqaokddcna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwlcgafvepfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavsccnjypldxojmmt.exe" sdqaokddcna.exe -
Checks whether UAC is enabled 1 TTPs 44 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zakwvkk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zakwvkk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zakwvkk.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 whatismyipaddress.com 36 www.showmyipaddress.com 46 whatismyip.everdot.org 47 www.whatismyip.ca 39 whatismyip.everdot.org 42 www.whatismyip.ca 51 www.whatismyip.ca 53 whatismyip.everdot.org 54 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe zakwvkk.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File created C:\Windows\SysWOW64\dwyctasvrpsrsqscjxleg.bia zakwvkk.exe File created C:\Windows\SysWOW64\ycpegybpwftdpylgyxwancewznudrbnw.ewv zakwvkk.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe zakwvkk.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe zakwvkk.exe File opened for modification C:\Windows\SysWOW64\sihiwappiddzxsrycnyono.exe zakwvkk.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\SysWOW64\fqkgpoythxsjcsmon.exe sdqaokddcna.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dwyctasvrpsrsqscjxleg.bia zakwvkk.exe File created C:\Program Files (x86)\dwyctasvrpsrsqscjxleg.bia zakwvkk.exe File opened for modification C:\Program Files (x86)\ycpegybpwftdpylgyxwancewznudrbnw.ewv zakwvkk.exe File created C:\Program Files (x86)\ycpegybpwftdpylgyxwancewznudrbnw.ewv zakwvkk.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe zakwvkk.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe zakwvkk.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe zakwvkk.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe zakwvkk.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File created C:\Windows\dwyctasvrpsrsqscjxleg.bia zakwvkk.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe zakwvkk.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe zakwvkk.exe File opened for modification C:\Windows\fqkgpoythxsjcsmon.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\sihiwappiddzxsrycnyono.exe sdqaokddcna.exe File opened for modification C:\Windows\maxwikxvmfdxtmjoqziw.exe sdqaokddcna.exe File opened for modification C:\Windows\yibweclfshbrjyrs.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe zakwvkk.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\zmigrsebrjgzumimnvd.exe sdqaokddcna.exe File opened for modification C:\Windows\oavsccnjypldxojmmt.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe File opened for modification C:\Windows\bqoobesrjdcxuomsvfpec.exe sdqaokddcna.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zakwvkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqoobesrjdcxuomsvfpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oavsccnjypldxojmmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fqkgpoythxsjcsmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maxwikxvmfdxtmjoqziw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zmigrsebrjgzumimnvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yibweclfshbrjyrs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 4052 zakwvkk.exe 4052 zakwvkk.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 4052 zakwvkk.exe 4052 zakwvkk.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4052 zakwvkk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 1232 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 90 PID 756 wrote to memory of 1232 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 90 PID 756 wrote to memory of 1232 756 JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe 90 PID 3948 wrote to memory of 1636 3948 cmd.exe 95 PID 3948 wrote to memory of 1636 3948 cmd.exe 95 PID 3948 wrote to memory of 1636 3948 cmd.exe 95 PID 3828 wrote to memory of 4692 3828 cmd.exe 99 PID 3828 wrote to memory of 4692 3828 cmd.exe 99 PID 3828 wrote to memory of 4692 3828 cmd.exe 99 PID 4692 wrote to memory of 3248 4692 zmigrsebrjgzumimnvd.exe 102 PID 4692 wrote to memory of 3248 4692 zmigrsebrjgzumimnvd.exe 102 PID 4692 wrote to memory of 3248 4692 zmigrsebrjgzumimnvd.exe 102 PID 4748 wrote to memory of 3772 4748 cmd.exe 105 PID 4748 wrote to memory of 3772 4748 cmd.exe 105 PID 4748 wrote to memory of 3772 4748 cmd.exe 105 PID 1020 wrote to memory of 4188 1020 cmd.exe 108 PID 1020 wrote to memory of 4188 1020 cmd.exe 108 PID 1020 wrote to memory of 4188 1020 cmd.exe 108 PID 2408 wrote to memory of 1516 2408 cmd.exe 111 PID 2408 wrote to memory of 1516 2408 cmd.exe 111 PID 2408 wrote to memory of 1516 2408 cmd.exe 111 PID 4188 wrote to memory of 1640 4188 fqkgpoythxsjcsmon.exe 112 PID 4188 wrote to memory of 1640 4188 fqkgpoythxsjcsmon.exe 112 PID 4188 wrote to memory of 1640 4188 fqkgpoythxsjcsmon.exe 112 PID 1280 wrote to memory of 1968 1280 cmd.exe 113 PID 1280 wrote to memory of 1968 1280 cmd.exe 113 PID 1280 wrote to memory of 1968 1280 cmd.exe 113 PID 1968 wrote to memory of 4472 1968 oavsccnjypldxojmmt.exe 114 PID 1968 wrote to memory of 4472 1968 oavsccnjypldxojmmt.exe 114 PID 1968 wrote to memory of 4472 1968 oavsccnjypldxojmmt.exe 114 PID 2024 wrote to memory of 2832 2024 cmd.exe 118 PID 2024 wrote to memory of 2832 2024 cmd.exe 118 PID 2024 wrote to memory of 2832 2024 cmd.exe 118 PID 1344 wrote to memory of 5824 1344 cmd.exe 120 PID 1344 wrote to memory of 5824 1344 cmd.exe 120 PID 1344 wrote to memory of 5824 1344 cmd.exe 120 PID 5824 wrote to memory of 5968 5824 bqoobesrjdcxuomsvfpec.exe 121 PID 5824 wrote to memory of 5968 5824 bqoobesrjdcxuomsvfpec.exe 121 PID 5824 wrote to memory of 5968 5824 bqoobesrjdcxuomsvfpec.exe 121 PID 1232 wrote to memory of 6092 1232 sdqaokddcna.exe 123 PID 1232 wrote to memory of 6092 1232 sdqaokddcna.exe 123 PID 1232 wrote to memory of 6092 1232 sdqaokddcna.exe 123 PID 1232 wrote to memory of 4052 1232 sdqaokddcna.exe 125 PID 1232 wrote to memory of 4052 1232 sdqaokddcna.exe 125 PID 1232 wrote to memory of 4052 1232 sdqaokddcna.exe 125 PID 5920 wrote to memory of 5100 5920 cmd.exe 131 PID 5920 wrote to memory of 5100 5920 cmd.exe 131 PID 5920 wrote to memory of 5100 5920 cmd.exe 131 PID 4068 wrote to memory of 4844 4068 cmd.exe 130 PID 4068 wrote to memory of 4844 4068 cmd.exe 130 PID 4068 wrote to memory of 4844 4068 cmd.exe 130 PID 4236 wrote to memory of 5500 4236 cmd.exe 136 PID 4236 wrote to memory of 5500 4236 cmd.exe 136 PID 4236 wrote to memory of 5500 4236 cmd.exe 136 PID 5664 wrote to memory of 5772 5664 cmd.exe 265 PID 5664 wrote to memory of 5772 5664 cmd.exe 265 PID 5664 wrote to memory of 5772 5664 cmd.exe 265 PID 5772 wrote to memory of 2268 5772 fqkgpoythxsjcsmon.exe 142 PID 5772 wrote to memory of 2268 5772 fqkgpoythxsjcsmon.exe 142 PID 5772 wrote to memory of 2268 5772 fqkgpoythxsjcsmon.exe 142 PID 5500 wrote to memory of 1596 5500 bqoobesrjdcxuomsvfpec.exe 145 PID 5500 wrote to memory of 1596 5500 bqoobesrjdcxuomsvfpec.exe 145 PID 5500 wrote to memory of 1596 5500 bqoobesrjdcxuomsvfpec.exe 145 PID 4964 wrote to memory of 4536 4964 cmd.exe 148 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" sdqaokddcna.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zakwvkk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zakwvkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zakwvkk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b2b7b9be91e42f447618c78205cfccb0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b2b7b9be91e42f447618c78205cfccb0.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\zakwvkk.exe"C:\Users\Admin\AppData\Local\Temp\zakwvkk.exe" "-C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6092
-
-
C:\Users\Admin\AppData\Local\Temp\zakwvkk.exe"C:\Users\Admin\AppData\Local\Temp\zakwvkk.exe" "-C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵
- Executes dropped EXE
PID:3248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵
- Executes dropped EXE
PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵
- Executes dropped EXE
PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Executes dropped EXE
PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5772 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵
- Executes dropped EXE
PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Executes dropped EXE
PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:2444
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:1288
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Executes dropped EXE
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵
- Executes dropped EXE
PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:3768
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵
- Executes dropped EXE
PID:912 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵
- Executes dropped EXE
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵
- Executes dropped EXE
PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:5932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
PID:5788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Executes dropped EXE
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵
- Executes dropped EXE
PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Executes dropped EXE
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Executes dropped EXE
PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:5272
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:6080
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵
- Executes dropped EXE
PID:372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:5920
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:1240
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵
- Executes dropped EXE
PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵
- Executes dropped EXE
PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵
- Executes dropped EXE
PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Executes dropped EXE
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3964
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:2360
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:4800
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:5096
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵
- Executes dropped EXE
PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:4488
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵
- Executes dropped EXE
PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:4508
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵
- Executes dropped EXE
PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:3016
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵
- Executes dropped EXE
PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:5860
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5836 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Executes dropped EXE
PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:1968
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵
- Executes dropped EXE
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵
- Executes dropped EXE
PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:3892
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Executes dropped EXE
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵
- Executes dropped EXE
PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:2824
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:1520
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:5988
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:5844
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:436
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:2260
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:1124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:4556
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:4020
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:1580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5932
-
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:4540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:1408
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:3804
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:5756
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3132
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:6040
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:4604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:4780
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:552
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:4548
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1916
-
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:1424
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:6032
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3964
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:1364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:4928
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:1756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:1944
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:5288
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:2960
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4796
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:4392
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:4088
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:5720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5856
-
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:644 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:540
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:1752
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:5700
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:6032
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:2724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5668
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:1016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:1580
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:388
-
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:988
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:4916
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:960
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:60 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:5280
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3156
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:4808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4456
-
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:3124
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:1364
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:5860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3740
-
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:2208
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4100
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:2436
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:2252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:4140
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4700
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:5656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2664
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:3096
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:1432
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:3732
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6080 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4568
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:1596
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:5576
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:3460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4732
-
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:692
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:4536
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:5720
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:4000
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:4152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:540 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3772
-
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:5156
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:4648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6032
-
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:2756
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:1016
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:2208
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4532
-
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:4856
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:1848
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:2408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:5420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1372
-
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:3388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3812
-
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:1124
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:1552
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3888
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:2272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:5272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- Checks computer location settings
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:1840
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4976
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:1808
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:6048
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:2368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5872
-
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:5472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:4104
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:1552
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:4072
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:1604
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:1072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4664
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:3112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:4020
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵
- Checks computer location settings
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:1564
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:936
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4928
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:1756
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵
- Checks computer location settings
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:1276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5992
-
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4104
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:3736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:5656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5912
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:1840
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:2812
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:6108
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:4264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:5372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4088
-
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:2408
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:5032
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4988
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:5968
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:1248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5892
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:2360
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:556
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:4884
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:6100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:5592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5480
-
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:2200
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:5704
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:1424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:4476
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:2404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:3376
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:644
-
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:3640
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:5436
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:5948
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:3236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:6076
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:5740
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:1332
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:5612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:1644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4768
-
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:2560
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:5468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:3460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2252
-
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:1756
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:6104
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:1436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2532
-
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:4476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:4760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:5812
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:4624
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:1580
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:552
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:2720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:2548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5656
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:6124
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:4864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1628
-
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:5876
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:3740
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:3888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:1828
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:5028
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:4068
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4708
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:4336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1124
-
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:4236
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:2756
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe1⤵PID:5596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe2⤵PID:728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\oavsccnjypldxojmmt.exe*."3⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:3940
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:3156
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:5216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:2504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5600
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4880
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:2988
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:2984
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:5892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4892
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:1436
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:3364
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:3248
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:5220
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:2828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:1828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1832
-
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:1564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:5796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:5744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5472
-
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:2776
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:3904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:4832
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:4968
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:2724
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3112
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:3124
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:2876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:2304
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:6076
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:1252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1560
-
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:1936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe1⤵PID:1420
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:2804
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exeC:\Users\Admin\AppData\Local\Temp\oavsccnjypldxojmmt.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:4028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:604
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe .1⤵PID:4932
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\zmigrsebrjgzumimnvd.exe*."3⤵PID:2176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:2536
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:764
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe2⤵PID:5880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\maxwikxvmfdxtmjoqziw.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe1⤵PID:808
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3900
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe .2⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\oavsccnjypldxojmmt.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:4612
-
C:\Windows\oavsccnjypldxojmmt.exeoavsccnjypldxojmmt.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:4860
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exeC:\Users\Admin\AppData\Local\Temp\bqoobesrjdcxuomsvfpec.exe .2⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe .2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\yibweclfshbrjyrs.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:3380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5960
-
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:2408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yibweclfshbrjyrs.exe .1⤵PID:4020
-
C:\Windows\yibweclfshbrjyrs.exeyibweclfshbrjyrs.exe .2⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\yibweclfshbrjyrs.exe*."3⤵PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:6108
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fqkgpoythxsjcsmon.exe .1⤵PID:5736
-
C:\Windows\fqkgpoythxsjcsmon.exefqkgpoythxsjcsmon.exe .2⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\fqkgpoythxsjcsmon.exe*."3⤵PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exeC:\Users\Admin\AppData\Local\Temp\yibweclfshbrjyrs.exe2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exeC:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\zmigrsebrjgzumimnvd.exe*."3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exeC:\Users\Admin\AppData\Local\Temp\maxwikxvmfdxtmjoqziw.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exeC:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\users\admin\appdata\local\temp\fqkgpoythxsjcsmon.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe1⤵PID:1552
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zmigrsebrjgzumimnvd.exe1⤵PID:4476
-
C:\Windows\zmigrsebrjgzumimnvd.exezmigrsebrjgzumimnvd.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:4960
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe"C:\Users\Admin\AppData\Local\Temp\sdqaokddcna.exe" "c:\windows\bqoobesrjdcxuomsvfpec.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c maxwikxvmfdxtmjoqziw.exe .1⤵PID:336
-
C:\Windows\maxwikxvmfdxtmjoqziw.exemaxwikxvmfdxtmjoqziw.exe .2⤵PID:5984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe1⤵PID:804
-
C:\Windows\bqoobesrjdcxuomsvfpec.exebqoobesrjdcxuomsvfpec.exe2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bqoobesrjdcxuomsvfpec.exe .1⤵PID:5268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:1328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe1⤵PID:5036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqkgpoythxsjcsmon.exe1⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c oavsccnjypldxojmmt.exe .1⤵PID:3364
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmigrsebrjgzumimnvd.exe .1⤵PID:5780
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD534d32d2e3efbbd1515ddfaaaef9e4272
SHA178014aaafb8088ad6ae5ebbe18ba377c0af35a33
SHA2560ade9ccfd674e24f6f55d4aa15df10948f6e32e7ebf85a1060c08705295f10f3
SHA5125895dc34862a17c567fade9e94446171494ea34b31ce10ec984a44547bb5c71f5f4c1964e79f46b0faee744ea59e69a20c8700dd0ed5c6d0d2615a6a06249c06
-
Filesize
280B
MD52107fbbdb4c5d38f85ec3cb6dae97c89
SHA1e7d4de183f09f40d1cd5454364239d0fc56caa69
SHA256d8fa9cbc22ab066a780106a5358d3c99747275cfff7edf05b49782793369a4b3
SHA51256b57b104244cc24a80e66406fb1036fd070b24bf832eacc757048b300ec7074528f4d7d2c2f939d41e8d7362c76e1a4716714efb74f5a101fe5f188c58b299b
-
Filesize
280B
MD5911b2bdf24860e398a2a72ad3ab277d8
SHA17d4a10a4641fabaa68e2baddad8bf684312cb741
SHA256fb61238076909cfb68a54fe9faa55d65255019d6b6ccfbdbd692b6491c76f642
SHA512a313359484e4f7f9309ce049e62a79d4c7d33dc980ececfe1fffd4288447deb217f4ab15ec7f2dd97a8eb9718d374501d8887f34ed42511cbf03d8ca3065885f
-
Filesize
280B
MD5d42cd9b924849252c41af3ba8f86e82e
SHA19bbb7272f0a98e7dc02cd5d3105803827fe33669
SHA2567f9686a86d6c73df1e3b9d4b6b19dd373757abf864a298f1c0bdfff43cfdd5df
SHA512de169e1dd06e27fb5a967f89f0269375508889bb9331c65c54be5f9ec8364c4c98d15e6a0d6dba0d45ebf609f469cacbbf87bfef64a49748352ec58865364427
-
Filesize
280B
MD5042babeca04615f993f5941fcff4a367
SHA14ed4a46ab5441ccb3a27aefcf815dab796404e46
SHA256af541ea07c0aabec644dbe2253073aa8b20d7fff55168cff982e94ba5e23bffd
SHA5123243d6c92ae5cd1e80b5087a1c1d8033d0dfb558ef328207b490ff6f9a760f15c5d2515fae6ea4275f671473daac61274b15c05ffa702b2fe4e1e807c8427ef6
-
Filesize
280B
MD58f18da06ee683d8118ddceac13286a96
SHA1418f11aed78a9454e27e719fafddaa18cfa32971
SHA2562ee9bfad17eb6385fcc1e4c75b033c95ddfbebf5729c5545e905c3c7b03cd14f
SHA512f4091ea5d3b95e5ce89a4fad3c27d8322d9246121fa7acca215c5b1049bdd1c4965926013550cb4716178faecabb3180f16807aff9b23dc68d9e5515160f351b
-
Filesize
320KB
MD5221dc9686e3a1fe5d547472d0effd4c1
SHA1a096f8ca8b19673cb5d734cb26c479a374dff81f
SHA2562345ed3a8d84cd9753c976471cc4e28c2e7e4d6fab55ea4e1bf9b67e83257b93
SHA512476f65ea0684fdb11164a45c90e00e4a18e2dacf07ce682ef7ff68fb5bb928e956ed2a3f2df5c3baa6abd16f3a36a6226deebd17b1c5e2a3ffbe63eb0610d17e
-
Filesize
708KB
MD59a1364f540983e67bee719d5d487a976
SHA1f28508930bd840e58aeba55735d434c9147f0008
SHA25661ea799e85239af41582ad3020937523baefafa26a51c89367aa7e6c552ea5e2
SHA512747d2675ed2bc2cb12d5ddc6c60d2cf6851b86633bf705c79f5268f82ff26b23fd286d009d6a89f28f90b8f4ec887bb572ed8448d8432067e7fdea88b219346b
-
Filesize
280B
MD50357360b33a77b8ec322bb149cae851c
SHA1525c87409212e2a9fc41e94aa61b29f1b98b3b62
SHA256ae96107f922157d3b3b148ced3c8baa4ec928f55011898cd47f818ee3c5779e3
SHA512f33de6c557da255b8417a8e41b979857fff1c9fddda244586f615b131ac665930a8dd359ef5ccdda977d64c78779187bd21b936fc52ec386a062ec969458dde4
-
Filesize
4KB
MD5d37dd196e9d0027eeaa51373f6d2a0d7
SHA19c9226a0476d0195a6e484a798e981a5a5dde5e9
SHA25663609a30620328d467e2e22521e85377079ff299a223a8631c9b4adbc42bb287
SHA512e2ff844df4143ad1c4c64bcbffe662ff9ea9684f3250ce039db36dbf0e3db6d1bfb663379877c65a016154949f34862153f738d56a6016707d5bf761a2582826
-
Filesize
516KB
MD5b2b7b9be91e42f447618c78205cfccb0
SHA1ac38435860734cbcdfff61a917c8e37e27d781a5
SHA256f3cb92699801b3fd4ca75d9e7a09d1b40b0a4591399753c4222c0b6385d8c897
SHA5123d7cab72720c27c80569eab34d9968f34bee41a38efbc9e5d25d40af373b560ba6f7240139d325700389ae0afc53d9c4b40ba69f08a3786f5c32619f37fc4193