Analysis
-
max time kernel
45s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe
-
Size
500KB
-
MD5
b440589d0ee46569ca9013e1c4f70261
-
SHA1
39a762dc54d82d9599677234cc14856c616689c5
-
SHA256
8ca695115227d8c7562dd4cd271fbffe9bb4eca124c6248b1f4ab40075883830
-
SHA512
9650a7cc2a9ade07291b4c6b0fd441ae2b0bd2aa9eed5061db786c1eb56494eab6a6e63356f30d55ec780b2081ec0712753f9daac8a0ab8eef8a886c7238fb33
-
SSDEEP
12288:igBhmV2/ZGUVygDGnts+z73i+z5Njod/qSOm2WRE:ThA2/ZGUVes+i+hnm24E
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe -
Pykspa family
-
UAC bypass 3 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x01ad0000000221a8-4.dat family_pykspa behavioral1/files/0x000200000001ea4b-82.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "ypmevqgatpqzkcouqhe.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "atsmfcuqljmxkesayrqkd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "atsmfcuqljmxkesayrqkd.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "ndzqgapiavvdnepupf.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "atsmfcuqljmxkesayrqkd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "atsmfcuqljmxkesayrqkd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pzpakyhugvpr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfymzqcshzwbiwe = "ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 55 5184 Process not Found 59 5184 Process not Found 63 5184 Process not Found 66 5184 Process not Found 76 5184 Process not Found 190 5608 Process not Found 195 5608 Process not Found -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ndzqgapiavvdnepupf.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation xlfuianeunlrzoxa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ypmevqgatpqzkcouqhe.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation atsmfcuqljmxkesayrqkd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation etoetmasjdcjsiswq.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ldbumizuolnxjcpwtljc.exe -
Executes dropped EXE 64 IoCs
pid Process 6096 rfyzcmqobpi.exe 4464 ypmevqgatpqzkcouqhe.exe 4652 xlfuianeunlrzoxa.exe 1040 rfyzcmqobpi.exe 744 ypmevqgatpqzkcouqhe.exe 2900 etoetmasjdcjsiswq.exe 3660 xlfuianeunlrzoxa.exe 3592 xlfuianeunlrzoxa.exe 1984 rfyzcmqobpi.exe 4476 rfyzcmqobpi.exe 5108 ypmevqgatpqzkcouqhe.exe 628 ldbumizuolnxjcpwtljc.exe 5748 rfyzcmqobpi.exe 636 lpzeiq.exe 4456 lpzeiq.exe 2084 ndzqgapiavvdnepupf.exe 864 ndzqgapiavvdnepupf.exe 4004 ypmevqgatpqzkcouqhe.exe 1756 etoetmasjdcjsiswq.exe 3796 rfyzcmqobpi.exe 2600 rfyzcmqobpi.exe 1584 atsmfcuqljmxkesayrqkd.exe 4688 ypmevqgatpqzkcouqhe.exe 3744 ndzqgapiavvdnepupf.exe 2204 ndzqgapiavvdnepupf.exe 4564 ypmevqgatpqzkcouqhe.exe 4660 ndzqgapiavvdnepupf.exe 4832 ndzqgapiavvdnepupf.exe 4728 etoetmasjdcjsiswq.exe 3128 rfyzcmqobpi.exe 5012 rfyzcmqobpi.exe 628 rfyzcmqobpi.exe 2608 ndzqgapiavvdnepupf.exe 5956 atsmfcuqljmxkesayrqkd.exe 5116 rfyzcmqobpi.exe 428 ndzqgapiavvdnepupf.exe 5196 ndzqgapiavvdnepupf.exe 5184 rfyzcmqobpi.exe 3824 rfyzcmqobpi.exe 2976 xlfuianeunlrzoxa.exe 5156 ndzqgapiavvdnepupf.exe 5136 rfyzcmqobpi.exe 3068 xlfuianeunlrzoxa.exe 3032 etoetmasjdcjsiswq.exe 4184 xlfuianeunlrzoxa.exe 3608 rfyzcmqobpi.exe 4244 ypmevqgatpqzkcouqhe.exe 4412 rfyzcmqobpi.exe 5056 xlfuianeunlrzoxa.exe 5504 xlfuianeunlrzoxa.exe 1948 rfyzcmqobpi.exe 4848 atsmfcuqljmxkesayrqkd.exe 2352 xlfuianeunlrzoxa.exe 4808 rfyzcmqobpi.exe 5076 ldbumizuolnxjcpwtljc.exe 4708 ldbumizuolnxjcpwtljc.exe 4452 xlfuianeunlrzoxa.exe 5636 ypmevqgatpqzkcouqhe.exe 3940 etoetmasjdcjsiswq.exe 4604 rfyzcmqobpi.exe 4524 etoetmasjdcjsiswq.exe 5748 ndzqgapiavvdnepupf.exe 4752 ndzqgapiavvdnepupf.exe 5696 atsmfcuqljmxkesayrqkd.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lpzeiq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lpzeiq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lpzeiq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lpzeiq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lpzeiq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lpzeiq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe ." lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "ypmevqgatpqzkcouqhe.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "atsmfcuqljmxkesayrqkd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "etoetmasjdcjsiswq.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "ypmevqgatpqzkcouqhe.exe ." lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "ndzqgapiavvdnepupf.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "atsmfcuqljmxkesayrqkd.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "ldbumizuolnxjcpwtljc.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "atsmfcuqljmxkesayrqkd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "ldbumizuolnxjcpwtljc.exe ." lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "ndzqgapiavvdnepupf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndzqgapiavvdnepupf.exe ." lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "ndzqgapiavvdnepupf.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atsmfcuqljmxkesayrqkd.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "atsmfcuqljmxkesayrqkd.exe ." lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "ldbumizuolnxjcpwtljc.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe ." lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "ypmevqgatpqzkcouqhe.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "etoetmasjdcjsiswq.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "xlfuianeunlrzoxa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "xlfuianeunlrzoxa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atsmfcuqljmxkesayrqkd.exe ." lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xlfuianeunlrzoxa = "ndzqgapiavvdnepupf.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozqcncmandybg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ndzqgapiavvdnepupf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypmevqgatpqzkcouqhe.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlfuianeunlrzoxa.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pbtgsitiwnjntg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldbumizuolnxjcpwtljc.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etoetmasjdcjsiswq.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atsmfcuqljmxkesayrqkd.exe" lpzeiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypmevqgatpqzkcouqhe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atsmfcuqljmxkesayrqkd.exe" lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "xlfuianeunlrzoxa.exe ." lpzeiq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\etoetmasjdcjsiswq = "ndzqgapiavvdnepupf.exe ." rfyzcmqobpi.exe -
Checks whether UAC is enabled 1 TTPs 42 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpzeiq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lpzeiq.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 whatismyipaddress.com 34 www.showmyipaddress.com 36 www.whatismyip.ca 46 whatismyip.everdot.org 48 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe lpzeiq.exe File created C:\Windows\SysWOW64\xlfuianeunlrzoxathbqewjaqjhnvktwpdxmas.wmf lpzeiq.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe lpzeiq.exe File opened for modification C:\Windows\SysWOW64\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\xlfuianeunlrzoxathbqewjaqjhnvktwpdxmas.wmf lpzeiq.exe File opened for modification C:\Program Files (x86)\admqtacinvidaecucfosvcekpxk.cge lpzeiq.exe File created C:\Program Files (x86)\admqtacinvidaecucfosvcekpxk.cge lpzeiq.exe File opened for modification C:\Program Files (x86)\xlfuianeunlrzoxathbqewjaqjhnvktwpdxmas.wmf lpzeiq.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxathbqewjaqjhnvktwpdxmas.wmf lpzeiq.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe lpzeiq.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\xlfuianeunlrzoxa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe lpzeiq.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe lpzeiq.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe lpzeiq.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\etoetmasjdcjsiswq.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ldbumizuolnxjcpwtljc.exe rfyzcmqobpi.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ndzqgapiavvdnepupf.exe rfyzcmqobpi.exe File created C:\Windows\xlfuianeunlrzoxathbqewjaqjhnvktwpdxmas.wmf lpzeiq.exe File opened for modification C:\Windows\atsmfcuqljmxkesayrqkd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe File opened for modification C:\Windows\rllgayrokjnznixgfzzuom.exe rfyzcmqobpi.exe File opened for modification C:\Windows\ypmevqgatpqzkcouqhe.exe rfyzcmqobpi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpzeiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfyzcmqobpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypmevqgatpqzkcouqhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etoetmasjdcjsiswq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbumizuolnxjcpwtljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndzqgapiavvdnepupf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfuianeunlrzoxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language atsmfcuqljmxkesayrqkd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 636 lpzeiq.exe 636 lpzeiq.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 636 lpzeiq.exe 636 lpzeiq.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 636 lpzeiq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6124 wrote to memory of 6096 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 89 PID 6124 wrote to memory of 6096 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 89 PID 6124 wrote to memory of 6096 6124 JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe 89 PID 4684 wrote to memory of 4464 4684 cmd.exe 92 PID 4684 wrote to memory of 4464 4684 cmd.exe 92 PID 4684 wrote to memory of 4464 4684 cmd.exe 92 PID 4604 wrote to memory of 4652 4604 cmd.exe 95 PID 4604 wrote to memory of 4652 4604 cmd.exe 95 PID 4604 wrote to memory of 4652 4604 cmd.exe 95 PID 4652 wrote to memory of 1040 4652 xlfuianeunlrzoxa.exe 104 PID 4652 wrote to memory of 1040 4652 xlfuianeunlrzoxa.exe 104 PID 4652 wrote to memory of 1040 4652 xlfuianeunlrzoxa.exe 104 PID 5472 wrote to memory of 744 5472 cmd.exe 105 PID 5472 wrote to memory of 744 5472 cmd.exe 105 PID 5472 wrote to memory of 744 5472 cmd.exe 105 PID 4744 wrote to memory of 3660 4744 cmd.exe 108 PID 4744 wrote to memory of 3660 4744 cmd.exe 108 PID 4744 wrote to memory of 3660 4744 cmd.exe 108 PID 4472 wrote to memory of 2900 4472 cmd.exe 107 PID 4472 wrote to memory of 2900 4472 cmd.exe 107 PID 4472 wrote to memory of 2900 4472 cmd.exe 107 PID 4632 wrote to memory of 3592 4632 cmd.exe 110 PID 4632 wrote to memory of 3592 4632 cmd.exe 110 PID 4632 wrote to memory of 3592 4632 cmd.exe 110 PID 3592 wrote to memory of 1984 3592 xlfuianeunlrzoxa.exe 113 PID 3592 wrote to memory of 1984 3592 xlfuianeunlrzoxa.exe 113 PID 3592 wrote to memory of 1984 3592 xlfuianeunlrzoxa.exe 113 PID 2900 wrote to memory of 4476 2900 etoetmasjdcjsiswq.exe 114 PID 2900 wrote to memory of 4476 2900 etoetmasjdcjsiswq.exe 114 PID 2900 wrote to memory of 4476 2900 etoetmasjdcjsiswq.exe 114 PID 5672 wrote to memory of 5108 5672 cmd.exe 115 PID 5672 wrote to memory of 5108 5672 cmd.exe 115 PID 5672 wrote to memory of 5108 5672 cmd.exe 115 PID 3116 wrote to memory of 628 3116 cmd.exe 172 PID 3116 wrote to memory of 628 3116 cmd.exe 172 PID 3116 wrote to memory of 628 3116 cmd.exe 172 PID 5108 wrote to memory of 5748 5108 ypmevqgatpqzkcouqhe.exe 117 PID 5108 wrote to memory of 5748 5108 ypmevqgatpqzkcouqhe.exe 117 PID 5108 wrote to memory of 5748 5108 ypmevqgatpqzkcouqhe.exe 117 PID 6096 wrote to memory of 636 6096 rfyzcmqobpi.exe 118 PID 6096 wrote to memory of 636 6096 rfyzcmqobpi.exe 118 PID 6096 wrote to memory of 636 6096 rfyzcmqobpi.exe 118 PID 6096 wrote to memory of 4456 6096 rfyzcmqobpi.exe 121 PID 6096 wrote to memory of 4456 6096 rfyzcmqobpi.exe 121 PID 6096 wrote to memory of 4456 6096 rfyzcmqobpi.exe 121 PID 508 wrote to memory of 2084 508 cmd.exe 190 PID 508 wrote to memory of 2084 508 cmd.exe 190 PID 508 wrote to memory of 2084 508 cmd.exe 190 PID 4944 wrote to memory of 864 4944 cmd.exe 192 PID 4944 wrote to memory of 864 4944 cmd.exe 192 PID 4944 wrote to memory of 864 4944 cmd.exe 192 PID 3220 wrote to memory of 4004 3220 cmd.exe 133 PID 3220 wrote to memory of 4004 3220 cmd.exe 133 PID 3220 wrote to memory of 4004 3220 cmd.exe 133 PID 3320 wrote to memory of 1756 3320 cmd.exe 134 PID 3320 wrote to memory of 1756 3320 cmd.exe 134 PID 3320 wrote to memory of 1756 3320 cmd.exe 134 PID 4004 wrote to memory of 3796 4004 ypmevqgatpqzkcouqhe.exe 143 PID 4004 wrote to memory of 3796 4004 ypmevqgatpqzkcouqhe.exe 143 PID 4004 wrote to memory of 3796 4004 ypmevqgatpqzkcouqhe.exe 143 PID 1756 wrote to memory of 2600 1756 etoetmasjdcjsiswq.exe 146 PID 1756 wrote to memory of 2600 1756 etoetmasjdcjsiswq.exe 146 PID 1756 wrote to memory of 2600 1756 etoetmasjdcjsiswq.exe 146 PID 2712 wrote to memory of 1584 2712 cmd.exe 154 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpzeiq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpzeiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b440589d0ee46569ca9013e1c4f70261.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6124 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b440589d0ee46569ca9013e1c4f70261.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\lpzeiq.exe"C:\Users\Admin\AppData\Local\Temp\lpzeiq.exe" "-C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\lpzeiq.exe"C:\Users\Admin\AppData\Local\Temp\lpzeiq.exe" "-C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵
- Executes dropped EXE
PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵
- Executes dropped EXE
PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵
- Executes dropped EXE
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Executes dropped EXE
PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵
- Executes dropped EXE
PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:1788
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵
- Executes dropped EXE
PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:1764
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵
- Executes dropped EXE
PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:3748
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵
- Executes dropped EXE
PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Executes dropped EXE
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵
- Executes dropped EXE
PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:428 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵
- Executes dropped EXE
PID:5184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:4916
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:528
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵
- Executes dropped EXE
PID:5136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:6140
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2084
-
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵
- Executes dropped EXE
PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Executes dropped EXE
PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:6032
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4112
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵
- Executes dropped EXE
PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:5840
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:3716
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:620
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3744
-
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Executes dropped EXE
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵
- Executes dropped EXE
PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4536
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4408
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4336
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5752
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵
- Executes dropped EXE
PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:4852
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:5960
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:3208
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5248
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4300
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:4712
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
PID:5716 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:5384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:5928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:1540
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:812
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:4944
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:3920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4244
-
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:1364
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:3164
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:2168
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:5936
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:3716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4432
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:5796
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:748
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:2596
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:3268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:1088
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:1128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:452
-
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
PID:5972 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:2572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:4684
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:3032
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
PID:860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:5512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:2864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:6036
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:2152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4240
-
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:1488
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:2548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:2308
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:428
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:1868
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:1692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4752
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:1648
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:3872
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4676
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:408
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:5236
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
PID:872 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:3956
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:3488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:4536
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5272 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:2208
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:3824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:3332
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:5804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:4756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5696
-
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:1400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:1040
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5088
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4532
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:2980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5560
-
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:3900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:4572
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:1152
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:2600
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:3532
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:1144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:3444
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:1804
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:5216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3108
-
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:4604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4748
-
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:2596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:3216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:1704
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:4060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4532
-
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:5360
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4800
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:3032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5108
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:5220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
PID:5784 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:4792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:3136
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:6060
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:6000
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:2272
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:5748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:2968
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4084
-
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:812
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4752
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:5264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:5676
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:4772
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:2204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4628
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:820 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:388
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:6072
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:2852
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4740
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:5764
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:5532
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:1560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4812
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:1136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:1244
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:428
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:2868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:4280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:2664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵
- Checks computer location settings
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:5936
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:3716
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:4324
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:5792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5768
-
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵
- Checks computer location settings
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:5272
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:2356
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:3572
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵
- Checks computer location settings
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:4336
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:6116
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:528 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:2204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4932
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:1128
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:3944
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:2040
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:2596
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:4064
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:2744
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:4564
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:1780
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:3796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:2136
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:2080
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:4724
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:5192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2600
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:4748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:3468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4168
-
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4516
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:4392
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:2036
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:4136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:4336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:3900
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:5244
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:5652
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:5132
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4508
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:5744
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:5928
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:5816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:2500
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:2852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5636
-
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:2980
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:1160
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:6040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:3100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5512
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:1704
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:3572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5748
-
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:3208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:916
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:5288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:1768
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:388
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:2856
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:4688
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:2696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:3116
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5384
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:812
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:1912
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5792
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:1648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3268
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5532
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:2080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:2152
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:4416
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:1120
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:3280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5336
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:1484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5676
-
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:1872
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:5088
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:5408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1148
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:5356
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:5548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:2864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2664
-
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:3792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5996
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:5524
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:2856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5076
-
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:3192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5976
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:4556
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:3488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:6068
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4688
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:4588
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:6120
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:1704
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:5352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:5016
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:5764
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:2868
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe1⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5416
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:3536
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:3116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:872
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:452
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:5500
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:1592
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:5968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:3824
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe1⤵PID:1096
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe .1⤵PID:4740
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe .2⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\xlfuianeunlrzoxa.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xlfuianeunlrzoxa.exe1⤵PID:4500
-
C:\Windows\xlfuianeunlrzoxa.exexlfuianeunlrzoxa.exe2⤵PID:5628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:2816
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:1120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exeC:\Users\Admin\AppData\Local\Temp\ndzqgapiavvdnepupf.exe .2⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ndzqgapiavvdnepupf.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:4760
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:2912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:3464
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:4632
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c etoetmasjdcjsiswq.exe .1⤵PID:4332
-
C:\Windows\etoetmasjdcjsiswq.exeetoetmasjdcjsiswq.exe .2⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\etoetmasjdcjsiswq.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe2⤵PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .1⤵PID:512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe .2⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ldbumizuolnxjcpwtljc.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:3900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:2284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5500
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:4112
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5780
-
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe .1⤵PID:5312
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe .2⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ldbumizuolnxjcpwtljc.exe*."3⤵PID:4372
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe1⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe2⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .1⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exeC:\Users\Admin\AppData\Local\Temp\atsmfcuqljmxkesayrqkd.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exeC:\Users\Admin\AppData\Local\Temp\ypmevqgatpqzkcouqhe.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ypmevqgatpqzkcouqhe.exe*."3⤵PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe1⤵PID:1512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3736
-
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c atsmfcuqljmxkesayrqkd.exe .1⤵PID:2420
-
C:\Windows\atsmfcuqljmxkesayrqkd.exeatsmfcuqljmxkesayrqkd.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\atsmfcuqljmxkesayrqkd.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldbumizuolnxjcpwtljc.exe1⤵PID:3220
-
C:\Windows\ldbumizuolnxjcpwtljc.exeldbumizuolnxjcpwtljc.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:1088
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ypmevqgatpqzkcouqhe.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exeC:\Users\Admin\AppData\Local\Temp\etoetmasjdcjsiswq.exe .2⤵PID:5436
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\etoetmasjdcjsiswq.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe1⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exeC:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .2⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\xlfuianeunlrzoxa.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe1⤵PID:6104
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe .1⤵PID:4352
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe .2⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ndzqgapiavvdnepupf.exe*."3⤵PID:3796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ndzqgapiavvdnepupf.exe1⤵PID:5384
-
C:\Windows\ndzqgapiavvdnepupf.exendzqgapiavvdnepupf.exe2⤵PID:976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypmevqgatpqzkcouqhe.exe .1⤵PID:1644
-
C:\Windows\ypmevqgatpqzkcouqhe.exeypmevqgatpqzkcouqhe.exe .2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe1⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exeC:\Users\Admin\AppData\Local\Temp\ldbumizuolnxjcpwtljc.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlfuianeunlrzoxa.exe .1⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5244
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD519bd538851ecbe10752cc04bf8a5f274
SHA1aaac67c07ff76bb9f72151a16c61aa8fe6e27ff8
SHA25610dcdc6b2c5a01ef7561c23a7c3393b1e51b05793b53d9669d30ae59ae7ce251
SHA512a7adc0328318fea65addfe350b00094f7f0a20ee5138c026597cf9381895eb3cf7977bd6e0091b5f5d2bd405caad31368e815958638c527f88a25249c8ce70e8
-
Filesize
272B
MD51341890a65852138aaaec9f7884b1d51
SHA1515bcc4fcbddeaba4b0533415d633bbf0459f17d
SHA2560d8359caf74f0273e48ec986aafc934a792d0915261df99ae32d11148d708a13
SHA5123f089872bdd173c02a149716935b504273228ac26949f972455add789fa1ea98cea9916b722c98e9f4dfdc4edf2bf0453fccfaa316a314afcf7e56106bc46acd
-
Filesize
272B
MD5b3b0141aa1faa0672197208af2a4ece5
SHA1b56f55f99864633ad8afdbee01527497229ac498
SHA256769acb7eccb35ef5739aa0e27c053c5fe862f669ea898a12bec95d79ce2bf831
SHA512f2805c6900d4abd6a65e01d89bcca797b7409bbfe0ea8e4fe127949c5df7cf3a665070ed101b46caf6ac8febd61471c7682eeff096f892410c4b91b0d5571be8
-
Filesize
272B
MD597fa3366fa49240151ef49501d907dd6
SHA1e9ef8c72051832a3aaab9f8be862f07b27192ef8
SHA256b0a8015e2354dddb63cad9b6f23017b23e4a0025773f862b2fb88e801be21805
SHA5128bbf672d224e32b58dc3968c804783259fc90f84d5a440321f311c115f5c11ea95f1c3c88a347fe8e1cf758ce445e81eb25088f5f5a070bc3af622e24d45f568
-
Filesize
272B
MD549496caa2f1d700aafc3fafb5022a69f
SHA16e9aea80ee8031ba33d91b1f6796fdb4d141183c
SHA256fd381aab8d3a3da7b9c74801ba1a6fdcc8299a1ba56ace36946b5761b0e00137
SHA51256877d247c644167240e4ab5d9d9512f5fb54bbab45d5343f4ddadf3d2d6ea047972ba7a6154559bd1627193f65a252b95ae5d2dac49a99e8b5851c38b2e01ce
-
Filesize
272B
MD56f3353e0cf27b546aae57866ccfd33a3
SHA1aded0b60c67eb0b03622413622f3a9512f98d634
SHA256363c18bd8c2c52cc92cce149a5cf6d52df3aeca19a68b6e58c10eb2a04290a9d
SHA5129993d9288c13f88593f5569d3fa55fd1f082a1c309027c778cdcdfe5c1a1d1e86399a6b48a8afdec915de9ac33cab2d703f6eab02d8b14a78ec6858014820635
-
Filesize
272B
MD5e6ea986dceb586dec3ded0f02fd2adec
SHA1b206d12a130eb04764ae95d227f2887b5a656ee1
SHA25616901a0dc5010e11cc869e6972915da8dbf860df47f6ec2f3051bc82690b787d
SHA5122591aba0892c0a7168cd3d78f28c876b81b409de2674d0b449571e4fa94a5158ac098c3ded2a17c0244a356790cf35034c2994df79abf646725d3df208b490f8
-
Filesize
696KB
MD51eba1d42f0e78dfab1a2e8efd9097d5c
SHA1a3095899a3235e03e6f43a221464922485baae92
SHA25644a1e2a94219bb1eac626755b725f23947fc15696686951aa0288d44b9561b43
SHA512c5d7a05ffebff279d46b358d0478b3f3b75bdca0ca6b61b0188b335df8c0d0102fc5c84326394c446f39ab10572a87f6775938c54777d397a2ba8be8762ec17c
-
Filesize
320KB
MD57adc117b345b9bc8d96d7b574350ef60
SHA119a1cee31c1bd605302e4354999e72b52cb5b590
SHA256a4287c444430c174adfa2d98a1b5868cedc9f077931521d18a42175f76340bb1
SHA51281e5c8a69143f894872cd802c2db7adce7c46cabd565729c1c7b53289e084bc6d7e29b4b971d2fa0a846fffeee6653feb93e55a09f27f3592c9cc9395d1352d4
-
Filesize
272B
MD5e5c894377aa1d7a267c33ce582c96df6
SHA10cc4d0088d86b08b45667bfeb9d565b7222400e7
SHA2568c93a8152663bd380dfc3c73b6a3481d7b59dc4b1582abfb53c455b4ae202989
SHA51266b96b3013c00e7074152b70ae4a7d0bac4ec58123c0f2ce1e024a5ad9dda3eb6a11f2e589d9c1c39f5971262fac82d773d0022228ebdd3e6082906bb7babe4f
-
Filesize
3KB
MD5aaa0b86fa293723229b460326fb9bc3c
SHA11f43c90881b1aa63834bf7c7bc9f13406cfc1000
SHA25613795577fa2044caf8146190482970a6a1a1190e4a379511cfff1020403c206d
SHA512e5ae020824f1eb8c2d06125b0d4ae44b63a0585b24c12dd8eb8dd5360e27dd5cbcc4d8b96a970396b32b47f777215efb068fd370ababb99c0406191e9248aff4
-
Filesize
500KB
MD5b440589d0ee46569ca9013e1c4f70261
SHA139a762dc54d82d9599677234cc14856c616689c5
SHA2568ca695115227d8c7562dd4cd271fbffe9bb4eca124c6248b1f4ab40075883830
SHA5129650a7cc2a9ade07291b4c6b0fd441ae2b0bd2aa9eed5061db786c1eb56494eab6a6e63356f30d55ec780b2081ec0712753f9daac8a0ab8eef8a886c7238fb33