Analysis
-
max time kernel
40s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe
-
Size
556KB
-
MD5
b4a229565b18ddf6e26668fa71c1f260
-
SHA1
2307c3afc80bec3823f5774322faf82518702d04
-
SHA256
2dd546c14f099e9bb4743023030628c46e25af589292816d7666c17ab7f17bd6
-
SHA512
2a7f67798e04b983728cda41060a0424e9eb64d9102299bd58199e9d280d33977a737ed791d819d966973d7ccb145c549f0e3e573b377544ed1a81c9ebc324bc
-
SSDEEP
12288:m6bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgxX+pd167QhEXfG:/vdezCByqTtlMQsFuqzRbzI7IoE6EhcG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023306-4.dat family_pykspa behavioral1/files/0x000700000001e6ba-88.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 63 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "arujgfytpelkcetyjoofi.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "nbbnhdtlequqfeqsac.exe" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "nbbnhdtlequqfeqsac.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "ynobwtkdxkpmccpsbec.exe" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nrhjtflt = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abonu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation xjhrjdrhyikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ynobwtkdxkpmccpsbec.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation arujgfytpelkcetyjoofi.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation nbbnhdtlequqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation lbdrnldxsgmkbcqueihx.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation erqbupevnybwkitub.exe -
Executes dropped EXE 64 IoCs
pid Process 3548 bqyqvqrmlai.exe 4532 xjhrjdrhyikeroyy.exe 4776 ynobwtkdxkpmccpsbec.exe 1576 bqyqvqrmlai.exe 4920 erqbupevnybwkitub.exe 4856 nbbnhdtlequqfeqsac.exe 3680 ynobwtkdxkpmccpsbec.exe 828 bqyqvqrmlai.exe 3752 arujgfytpelkcetyjoofi.exe 4692 bqyqvqrmlai.exe 2576 erqbupevnybwkitub.exe 2440 nbbnhdtlequqfeqsac.exe 2916 bqyqvqrmlai.exe 2520 lnbbjt.exe 3772 lnbbjt.exe 2392 nbbnhdtlequqfeqsac.exe 4592 nbbnhdtlequqfeqsac.exe 6096 arujgfytpelkcetyjoofi.exe 1976 arujgfytpelkcetyjoofi.exe 2228 bqyqvqrmlai.exe 1816 bqyqvqrmlai.exe 2672 erqbupevnybwkitub.exe 4384 lbdrnldxsgmkbcqueihx.exe 5976 ynobwtkdxkpmccpsbec.exe 636 ynobwtkdxkpmccpsbec.exe 5604 arujgfytpelkcetyjoofi.exe 4884 bqyqvqrmlai.exe 4108 lbdrnldxsgmkbcqueihx.exe 3288 ynobwtkdxkpmccpsbec.exe 5200 nbbnhdtlequqfeqsac.exe 4520 bqyqvqrmlai.exe 3872 arujgfytpelkcetyjoofi.exe 4568 bqyqvqrmlai.exe 4740 bqyqvqrmlai.exe 4448 erqbupevnybwkitub.exe 5500 arujgfytpelkcetyjoofi.exe 4980 ynobwtkdxkpmccpsbec.exe 4492 bqyqvqrmlai.exe 5568 lbdrnldxsgmkbcqueihx.exe 6076 arujgfytpelkcetyjoofi.exe 4080 bqyqvqrmlai.exe 1092 bqyqvqrmlai.exe 4124 nbbnhdtlequqfeqsac.exe 1116 arujgfytpelkcetyjoofi.exe 5452 xjhrjdrhyikeroyy.exe 1472 bqyqvqrmlai.exe 3208 nbbnhdtlequqfeqsac.exe 5080 bqyqvqrmlai.exe 6136 ynobwtkdxkpmccpsbec.exe 3460 arujgfytpelkcetyjoofi.exe 4296 bqyqvqrmlai.exe 1844 nbbnhdtlequqfeqsac.exe 592 nbbnhdtlequqfeqsac.exe 6104 nbbnhdtlequqfeqsac.exe 2692 bqyqvqrmlai.exe 2716 nbbnhdtlequqfeqsac.exe 2208 xjhrjdrhyikeroyy.exe 3340 xjhrjdrhyikeroyy.exe 528 nbbnhdtlequqfeqsac.exe 3344 nbbnhdtlequqfeqsac.exe 1320 lbdrnldxsgmkbcqueihx.exe 5948 bqyqvqrmlai.exe 5144 bqyqvqrmlai.exe 5032 bqyqvqrmlai.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lnbbjt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lnbbjt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lnbbjt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lnbbjt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lnbbjt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lnbbjt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejadobirb = "arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "ynobwtkdxkpmccpsbec.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" lnbbjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejadobirb = "erqbupevnybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "arujgfytpelkcetyjoofi.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "nbbnhdtlequqfeqsac.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "xjhrjdrhyikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejadobirb = "lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejadobirb = "erqbupevnybwkitub.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "xjhrjdrhyikeroyy.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "lbdrnldxsgmkbcqueihx.exe ." lnbbjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe" lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "erqbupevnybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\arujgfytpelkcetyjoofi.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "erqbupevnybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "arujgfytpelkcetyjoofi.exe ." lnbbjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejadobirb = "erqbupevnybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "erqbupevnybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "arujgfytpelkcetyjoofi.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\szsxkzitfkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe ." lnbbjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ynobwtkdxkpmccpsbec.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nbbnhdtlequqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqbupevnybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdvzlzhrcg = "lbdrnldxsgmkbcqueihx.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ybqralq = "nbbnhdtlequqfeqsac.exe ." lnbbjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxrxlblxkqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xjhrjdrhyikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lnbbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbdrnldxsgmkbcqueihx.exe" bqyqvqrmlai.exe -
Checks whether UAC is enabled 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lnbbjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bqyqvqrmlai.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 www.showmyipaddress.com 23 www.whatismyip.ca 24 whatismyipaddress.com 31 www.whatismyip.ca 36 www.whatismyip.ca 40 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe lnbbjt.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe lnbbjt.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe lnbbjt.exe File created C:\Windows\SysWOW64\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe lnbbjt.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nbbnhdtlequqfeqsac.exe lnbbjt.exe File opened for modification C:\Windows\SysWOW64\erqbupevnybwkitub.exe lnbbjt.exe File opened for modification C:\Windows\SysWOW64\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ynobwtkdxkpmccpsbec.exe lnbbjt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bxfzbfddeykolsmwmwbxfz.fdd lnbbjt.exe File created C:\Program Files (x86)\bxfzbfddeykolsmwmwbxfz.fdd lnbbjt.exe File opened for modification C:\Program Files (x86)\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe File created C:\Program Files (x86)\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe lnbbjt.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe lnbbjt.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File created C:\Windows\bxfzbfddeykolsmwmwbxfz.fdd lnbbjt.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe lnbbjt.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File created C:\Windows\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe lnbbjt.exe File opened for modification C:\Windows\erqbupevnybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\lbdrnldxsgmkbcqueihx.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe lnbbjt.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\szsxkzitfkhwewbwxsipinapyjvaxmumr.niy lnbbjt.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe File opened for modification C:\Windows\xjhrjdrhyikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\rjndbbvroemmfiyeqwxptj.exe bqyqvqrmlai.exe File opened for modification C:\Windows\arujgfytpelkcetyjoofi.exe bqyqvqrmlai.exe File opened for modification C:\Windows\nbbnhdtlequqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ynobwtkdxkpmccpsbec.exe bqyqvqrmlai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnbbjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqyqvqrmlai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhdtlequqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhrjdrhyikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqbupevnybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ynobwtkdxkpmccpsbec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arujgfytpelkcetyjoofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbdrnldxsgmkbcqueihx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 2520 lnbbjt.exe 2520 lnbbjt.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 2520 lnbbjt.exe 2520 lnbbjt.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2520 lnbbjt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5440 wrote to memory of 3548 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 89 PID 5440 wrote to memory of 3548 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 89 PID 5440 wrote to memory of 3548 5440 JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe 89 PID 4696 wrote to memory of 4532 4696 cmd.exe 94 PID 4696 wrote to memory of 4532 4696 cmd.exe 94 PID 4696 wrote to memory of 4532 4696 cmd.exe 94 PID 4632 wrote to memory of 4776 4632 cmd.exe 97 PID 4632 wrote to memory of 4776 4632 cmd.exe 97 PID 4632 wrote to memory of 4776 4632 cmd.exe 97 PID 4776 wrote to memory of 1576 4776 ynobwtkdxkpmccpsbec.exe 100 PID 4776 wrote to memory of 1576 4776 ynobwtkdxkpmccpsbec.exe 100 PID 4776 wrote to memory of 1576 4776 ynobwtkdxkpmccpsbec.exe 100 PID 4556 wrote to memory of 4920 4556 cmd.exe 103 PID 4556 wrote to memory of 4920 4556 cmd.exe 103 PID 4556 wrote to memory of 4920 4556 cmd.exe 103 PID 4796 wrote to memory of 4856 4796 cmd.exe 106 PID 4796 wrote to memory of 4856 4796 cmd.exe 106 PID 4796 wrote to memory of 4856 4796 cmd.exe 106 PID 5008 wrote to memory of 3680 5008 cmd.exe 109 PID 5008 wrote to memory of 3680 5008 cmd.exe 109 PID 5008 wrote to memory of 3680 5008 cmd.exe 109 PID 4856 wrote to memory of 828 4856 nbbnhdtlequqfeqsac.exe 110 PID 4856 wrote to memory of 828 4856 nbbnhdtlequqfeqsac.exe 110 PID 4856 wrote to memory of 828 4856 nbbnhdtlequqfeqsac.exe 110 PID 5024 wrote to memory of 3752 5024 cmd.exe 111 PID 5024 wrote to memory of 3752 5024 cmd.exe 111 PID 5024 wrote to memory of 3752 5024 cmd.exe 111 PID 3752 wrote to memory of 4692 3752 arujgfytpelkcetyjoofi.exe 114 PID 3752 wrote to memory of 4692 3752 arujgfytpelkcetyjoofi.exe 114 PID 3752 wrote to memory of 4692 3752 arujgfytpelkcetyjoofi.exe 114 PID 2244 wrote to memory of 2576 2244 cmd.exe 116 PID 2244 wrote to memory of 2576 2244 cmd.exe 116 PID 2244 wrote to memory of 2576 2244 cmd.exe 116 PID 1828 wrote to memory of 2440 1828 cmd.exe 118 PID 1828 wrote to memory of 2440 1828 cmd.exe 118 PID 1828 wrote to memory of 2440 1828 cmd.exe 118 PID 2440 wrote to memory of 2916 2440 nbbnhdtlequqfeqsac.exe 119 PID 2440 wrote to memory of 2916 2440 nbbnhdtlequqfeqsac.exe 119 PID 2440 wrote to memory of 2916 2440 nbbnhdtlequqfeqsac.exe 119 PID 3548 wrote to memory of 2520 3548 bqyqvqrmlai.exe 121 PID 3548 wrote to memory of 2520 3548 bqyqvqrmlai.exe 121 PID 3548 wrote to memory of 2520 3548 bqyqvqrmlai.exe 121 PID 3548 wrote to memory of 3772 3548 bqyqvqrmlai.exe 122 PID 3548 wrote to memory of 3772 3548 bqyqvqrmlai.exe 122 PID 3548 wrote to memory of 3772 3548 bqyqvqrmlai.exe 122 PID 5028 wrote to memory of 2392 5028 cmd.exe 129 PID 5028 wrote to memory of 2392 5028 cmd.exe 129 PID 5028 wrote to memory of 2392 5028 cmd.exe 129 PID 3252 wrote to memory of 4592 3252 cmd.exe 130 PID 3252 wrote to memory of 4592 3252 cmd.exe 130 PID 3252 wrote to memory of 4592 3252 cmd.exe 130 PID 1552 wrote to memory of 6096 1552 cmd.exe 301 PID 1552 wrote to memory of 6096 1552 cmd.exe 301 PID 1552 wrote to memory of 6096 1552 cmd.exe 301 PID 2712 wrote to memory of 1976 2712 cmd.exe 134 PID 2712 wrote to memory of 1976 2712 cmd.exe 134 PID 2712 wrote to memory of 1976 2712 cmd.exe 134 PID 6096 wrote to memory of 2228 6096 arujgfytpelkcetyjoofi.exe 141 PID 6096 wrote to memory of 2228 6096 arujgfytpelkcetyjoofi.exe 141 PID 6096 wrote to memory of 2228 6096 arujgfytpelkcetyjoofi.exe 141 PID 1976 wrote to memory of 1816 1976 arujgfytpelkcetyjoofi.exe 142 PID 1976 wrote to memory of 1816 1976 arujgfytpelkcetyjoofi.exe 142 PID 1976 wrote to memory of 1816 1976 arujgfytpelkcetyjoofi.exe 142 PID 3064 wrote to memory of 2672 3064 cmd.exe 145 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lnbbjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lnbbjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4a229565b18ddf6e26668fa71c1f260.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b4a229565b18ddf6e26668fa71c1f260.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\lnbbjt.exe"C:\Users\Admin\AppData\Local\Temp\lnbbjt.exe" "-C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\lnbbjt.exe"C:\Users\Admin\AppData\Local\Temp\lnbbjt.exe" "-C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵
- Executes dropped EXE
PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵
- Executes dropped EXE
PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵
- Executes dropped EXE
PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:5620
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:2100
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵
- Executes dropped EXE
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:732
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵
- Executes dropped EXE
PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵
- Executes dropped EXE
PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵
- Executes dropped EXE
PID:4568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵
- Executes dropped EXE
PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵
- Executes dropped EXE
PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵
- Executes dropped EXE
PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵
- Executes dropped EXE
PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4208
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:4700
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6076 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4672
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:4584
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Executes dropped EXE
PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵
- Executes dropped EXE
PID:6136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:5740
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:2600
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:592 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:1808
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4748
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:3720
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:3320
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵
- Executes dropped EXE
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵
- Executes dropped EXE
PID:5948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:3968
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:5144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:5620
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵
- Executes dropped EXE
PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4564
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- Checks computer location settings
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4376
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:4716
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:8 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:1524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4520
-
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:5544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:872 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:2252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:1960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:5952
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:4584
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
PID:6136 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:3280
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:760
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:5028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:3336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:2556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:2308
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:528
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:2264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:2816
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4196
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4388
-
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4984
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:216
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:4608
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:2288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:3204
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:2128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:4180
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:932
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:3276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4084
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:2292
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4628
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4648
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:2068
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:3380
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:5608
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4668
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:868
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:6060
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4632
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:2852
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:2128
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:2844
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:3148
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5128
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:6016
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:760
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:1968
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4004
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:3612
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:2344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- Checks computer location settings
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:5752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4160
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:1228
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:2032
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:5168
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:2588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵
- Checks computer location settings
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:1844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:2228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:2560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1292
-
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:2592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:3364
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:5132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:3120
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:5500
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:528
-
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:2776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6104
-
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:5108
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:5040
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4624
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:2576
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5640
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4692
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4496
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:1696
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5964
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:5356
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:3252
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:6016
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- Checks computer location settings
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4700
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:2336
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:1188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:4488
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:2576
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2056
-
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:1796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6140
-
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:1228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4668
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:3140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:5352
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:5204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:4180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:4532
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:1604
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:5296
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:3332
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:4276
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:1956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:3596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:6000
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4368
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:5528
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:3380
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:3508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:3924
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:5160
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:5168
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:2636
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4692
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:4352
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:3400
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:2012
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:5644
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:4700
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4840
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:5476
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:5364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4596
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:5224
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4384
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:1960
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:2740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:1908
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:1504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:3340
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5808
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:3760
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5292
-
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:2420
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:2440
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:5012
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:1848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5904
-
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:1808
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4888
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4968
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:2808
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:5376
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:1212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2172
-
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:2524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:1200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1412
-
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:3868
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:2216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:5688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5352
-
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4564
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:1544
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4652
-
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:964
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:2588
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:3604
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:3716
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:4724
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:2116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:6024
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:4044
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4552
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:1148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:4360
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4536
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:3200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3368
-
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:1544
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:3932
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5728
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:5832
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:1168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:5376
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:5724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2228
-
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4668
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:1688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5320
-
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4860
-
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4044
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:1540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:4596
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4468
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:856
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:5984
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4552
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:4108
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:4764
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:2540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:6020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:5660
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:5948
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:3232
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:1512
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:4520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3776
-
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:3456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:4940
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:4884
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:2336
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:5500
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:2028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:5456
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:4888
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:5368
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe .1⤵PID:4636
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe .2⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\nbbnhdtlequqfeqsac.exe*."3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:3608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:1320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe2⤵PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:4980
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:5344
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:4584
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:2464
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:2208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:4560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .2⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\erqbupevnybwkitub.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:4624
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:5180
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:1844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c nbbnhdtlequqfeqsac.exe1⤵PID:2936
-
C:\Windows\nbbnhdtlequqfeqsac.exenbbnhdtlequqfeqsac.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:5144
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe .2⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ynobwtkdxkpmccpsbec.exe*."3⤵PID:532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\nbbnhdtlequqfeqsac.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe1⤵PID:6048
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe2⤵PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:3940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5056
-
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:1504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1828
-
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe .1⤵PID:5012
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\xjhrjdrhyikeroyy.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .1⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\arujgfytpelkcetyjoofi.exe*."3⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:5384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exeC:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .2⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\lbdrnldxsgmkbcqueihx.exe*."3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:3760
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:1900
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe .1⤵PID:2296
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe .2⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ynobwtkdxkpmccpsbec.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:2356
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe1⤵PID:2496
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe2⤵PID:1764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:212
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\arujgfytpelkcetyjoofi.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xjhrjdrhyikeroyy.exe1⤵PID:5724
-
C:\Windows\xjhrjdrhyikeroyy.exexjhrjdrhyikeroyy.exe2⤵PID:3976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe1⤵PID:5644
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exeC:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqbupevnybwkitub.exe .1⤵PID:1688
-
C:\Windows\erqbupevnybwkitub.exeerqbupevnybwkitub.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\erqbupevnybwkitub.exe*."3⤵PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\xjhrjdrhyikeroyy.exe*."3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lbdrnldxsgmkbcqueihx.exe .1⤵PID:216
-
C:\Windows\lbdrnldxsgmkbcqueihx.exelbdrnldxsgmkbcqueihx.exe .2⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:3012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\nbbnhdtlequqfeqsac.exe .2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ynobwtkdxkpmccpsbec.exe1⤵PID:3504
-
C:\Windows\ynobwtkdxkpmccpsbec.exeynobwtkdxkpmccpsbec.exe2⤵PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exeC:\Users\Admin\AppData\Local\Temp\ynobwtkdxkpmccpsbec.exe2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c arujgfytpelkcetyjoofi.exe .1⤵PID:2404
-
C:\Windows\arujgfytpelkcetyjoofi.exearujgfytpelkcetyjoofi.exe .2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lbdrnldxsgmkbcqueihx.exe .1⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe1⤵PID:5080
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exeC:\Users\Admin\AppData\Local\Temp\arujgfytpelkcetyjoofi.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:5828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .1⤵PID:1912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exeC:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe .2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xjhrjdrhyikeroyy.exe1⤵PID:636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqbupevnybwkitub.exe .1⤵PID:1500
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5541a3707fb9f37ab4dee93eb35144f1c
SHA117287fe1bb120dbf1b11852258127df9def5227a
SHA25643339dc83038a61e414868d77fcdafc2e5648f2bbab3ea95b40753d7fa0fb0ae
SHA51233d7c0a117ab9d9f25b0b4f434362f11044320768f786a3c5cbe040775955b15b9068e9dbfa8e14ced06643cd442b72d35925ef6e1420f5eeb1dad574d8b6f0d
-
Filesize
272B
MD5c612958bbbad685e7dca028f29e1883e
SHA131db126919af796811df3292f644fced445032d3
SHA25608cb4d4a85561bcb3e9b58e17b9091f3bd952f56bb79ab63ac2e26a5414f805c
SHA512a140545c3d2e59248d06337f134d5b7ba3ee7309a6220fd703403dc5b5b4c51991219325fcd90b832c912b0af5f1682ff1eb329ebd4e37186a1d2c7a095b6fd8
-
Filesize
272B
MD5cca099510847780b8fae07d16f71041f
SHA1d85a8b60b5d2cb180f6506e438bf963bd40875f8
SHA256a656494e0ed08158f74b5d68cbf5fdffd621fb5a0f008b06a5f7c953def4bce8
SHA5128c562a0081d32b1583d1c73681d89616051ed4f40de8654cead8b61986e15ea6751d4e220c15cf474bb0ca5a2e90a413776ed1210397027dc366942500090295
-
Filesize
272B
MD52b5a24ba675a3c1c2ea4a0de8cc5c5b9
SHA1d86093fb08c871863ec9d3c2a75a31a21f049470
SHA2569ac9d817a5ffcff5be70b7d89c76bcc4389ff86159609ff66ba8742572cd5efe
SHA512a0e57704f8ac6da0d34b9f66f1ea011c1545455ccf1464cd79c298f4b540304b244fdc907e7af0823ed58ad038e726b705a49e37f8a49a133a911d84c9cbe352
-
Filesize
272B
MD506423f3fc4108af8a4e7489724ecb4c4
SHA1dd26da593e4c4c76b247d4a02366265c2c761182
SHA256d46483304ad597680ffcc32c5f6ada5543717f69599be85af6863a4671ef8edf
SHA51230b31fd96a8c3b38de5f8b1a35e2ac8bb49748e69fd74239800845968bca23fa785a9f5bf5611d74053f5b1fc62b948eac9d489028115601d4333a296285082e
-
Filesize
320KB
MD589ec3461ef4a893428c32f89de78b396
SHA18067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA2561849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA5127804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8
-
Filesize
716KB
MD59a28b3d40f4ad0104fec9fcb86eeb561
SHA13997e0e8bd78df27fd082bcdbeb0aff39eb12b7b
SHA256e359acd776dea8d82a7bd8ac4f6511d579395c45fd42ee13ad2bbca72aaeb5fa
SHA512afff2715d6de01db1bc77429b4ef0437e612dc75aaf617fb9cf0b765c4839494396e14e8bc8bb51653a8fa00dd1778d5fd619c67d280b7d803f221b03b636973
-
Filesize
272B
MD522dbd511ae41cebee030b9fcbe9535f9
SHA1e5ee316ef950e7e87ddb81b560640cc6abe6da46
SHA2568dad2533c1433f63afaebdd519e6d92f2a333a5d6a58132c590bee3d6f925826
SHA512b493248e606182df7733e2bd7330d1d0383e10b21eb6e0af187ac5a2302c63093c52578341dd7c2a04d2b68124ee80a0f00f206cbc256bc51c62d73775d8441a
-
Filesize
3KB
MD52d950ce77f367a38d9f4409e5cecbe59
SHA1711b0a9bdaaff62c0f20d63507de05f558be2a88
SHA256d41db908cd887d0b6be8540394274dc2f1c8a69814e62cf21bc17bbb1a01ef2b
SHA512ed209e2113c0103567101e88a2a58022cd89407c4aa5515960c67cbcb5c62be3bd2904184c8a3bcccfe2ac16689429ec950bf46010b017f0eadef17daa67297c
-
Filesize
556KB
MD5b4a229565b18ddf6e26668fa71c1f260
SHA12307c3afc80bec3823f5774322faf82518702d04
SHA2562dd546c14f099e9bb4743023030628c46e25af589292816d7666c17ab7f17bd6
SHA5122a7f67798e04b983728cda41060a0424e9eb64d9102299bd58199e9d280d33977a737ed791d819d966973d7ccb145c549f0e3e573b377544ed1a81c9ebc324bc
-
Filesize
532KB
MD591341f666ce4e3db7b8139902bfc4d28
SHA1ab1442ebd90125df99f2a4b482924185c09f255b
SHA2567fdffd4ed539eeb96f3bebf04d08bbf7f52f751c45576a37d905451491ad6aa6
SHA5120bafa761adcbeac2b0f1a3b74364aa58f169a5bd79470a2aaacb2567508b3b58f4ef985c6bf069b072f4bbc83e0f6ce7a875af4019f650abdd072e49847ed4b4