Analysis
-
max time kernel
41s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe
-
Size
524KB
-
MD5
b4fe986f603c8689f0e3be5b60cc856e
-
SHA1
4989bebdf2b66cec09efe777715577b21e5fec5e
-
SHA256
ce16cfb716ea2a3ebb272428883f5b7375f2b38c5eeff3c4e455baa9a9fb0168
-
SHA512
b5b057b7d9a79abd6d857c50767075e480bd3bb3d6dee512c9d517c851e242e42d0e05263010c719b870308bc728908345310280c2b3431a72b8ffc50533b94e
-
SSDEEP
12288:fg5pBHxXptbN5ZRgOiBjw/C0AWzFjbWOeEEs:qH7tbrbIBjwuWRmLEn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bqyqvqrmlai.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vjfkt.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0008000000024283-4.dat family_pykspa behavioral1/files/0x000700000002428d-85.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "sryoiushuikeroyy.exe" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "zzhytgfvjybwkitub.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "vzlgfwztlelkcetyjojnz.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "gjuomcexogmkbcqueicf.exe" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "ijskguulaquqfeqsac.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "vzlgfwztlelkcetyjojnz.exe" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nhjujqjtbkh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjuomcexogmkbcqueicf.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "tvfyvkldtkpmccpsbex.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\khmascylwiialg = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bqyqvqrmlai.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation gjuomcexogmkbcqueicf.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation sryoiushuikeroyy.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation tvfyvkldtkpmccpsbex.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation zzhytgfvjybwkitub.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation ijskguulaquqfeqsac.exe Key value queried \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation vzlgfwztlelkcetyjojnz.exe -
Executes dropped EXE 64 IoCs
pid Process 6028 bqyqvqrmlai.exe 928 gjuomcexogmkbcqueicf.exe 4724 gjuomcexogmkbcqueicf.exe 4708 bqyqvqrmlai.exe 3532 tvfyvkldtkpmccpsbex.exe 4872 vzlgfwztlelkcetyjojnz.exe 708 vzlgfwztlelkcetyjojnz.exe 4260 bqyqvqrmlai.exe 5416 tvfyvkldtkpmccpsbex.exe 4248 tvfyvkldtkpmccpsbex.exe 5116 zzhytgfvjybwkitub.exe 6104 bqyqvqrmlai.exe 5248 bqyqvqrmlai.exe 1880 vjfkt.exe 1840 vjfkt.exe 3328 zzhytgfvjybwkitub.exe 6132 ijskguulaquqfeqsac.exe 452 sryoiushuikeroyy.exe 5668 sryoiushuikeroyy.exe 364 bqyqvqrmlai.exe 3056 ijskguulaquqfeqsac.exe 5612 ijskguulaquqfeqsac.exe 732 bqyqvqrmlai.exe 5876 bqyqvqrmlai.exe 6128 gjuomcexogmkbcqueicf.exe 1512 zzhytgfvjybwkitub.exe 1200 ijskguulaquqfeqsac.exe 6096 ijskguulaquqfeqsac.exe 4532 zzhytgfvjybwkitub.exe 4832 tvfyvkldtkpmccpsbex.exe 5688 sryoiushuikeroyy.exe 4672 ijskguulaquqfeqsac.exe 3364 bqyqvqrmlai.exe 2640 gjuomcexogmkbcqueicf.exe 4468 bqyqvqrmlai.exe 5700 sryoiushuikeroyy.exe 5832 bqyqvqrmlai.exe 3860 bqyqvqrmlai.exe 3996 tvfyvkldtkpmccpsbex.exe 4856 bqyqvqrmlai.exe 748 ijskguulaquqfeqsac.exe 3712 sryoiushuikeroyy.exe 5808 ijskguulaquqfeqsac.exe 3312 bqyqvqrmlai.exe 4772 zzhytgfvjybwkitub.exe 3960 bqyqvqrmlai.exe 2172 tvfyvkldtkpmccpsbex.exe 2392 bqyqvqrmlai.exe 5212 ijskguulaquqfeqsac.exe 2168 vzlgfwztlelkcetyjojnz.exe 2956 bqyqvqrmlai.exe 1436 gjuomcexogmkbcqueicf.exe 5932 tvfyvkldtkpmccpsbex.exe 3008 vzlgfwztlelkcetyjojnz.exe 5844 bqyqvqrmlai.exe 5624 zzhytgfvjybwkitub.exe 4480 ijskguulaquqfeqsac.exe 4360 tvfyvkldtkpmccpsbex.exe 4600 zzhytgfvjybwkitub.exe 5376 tvfyvkldtkpmccpsbex.exe 2924 bqyqvqrmlai.exe 3928 bqyqvqrmlai.exe 760 sryoiushuikeroyy.exe 1440 tvfyvkldtkpmccpsbex.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vjfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vjfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vjfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vjfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vjfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vjfkt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sryoiushuikeroyy = "vzlgfwztlelkcetyjojnz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "vzlgfwztlelkcetyjojnz.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe ." vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "gjuomcexogmkbcqueicf.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe ." vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sryoiushuikeroyy = "tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "sryoiushuikeroyy.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "tvfyvkldtkpmccpsbex.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "ijskguulaquqfeqsac.exe" vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "sryoiushuikeroyy.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "gjuomcexogmkbcqueicf.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "ijskguulaquqfeqsac.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhytgfvjybwkitub.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sryoiushuikeroyy = "gjuomcexogmkbcqueicf.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe" vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sryoiushuikeroyy = "vzlgfwztlelkcetyjojnz.exe ." vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zzhytgfvjybwkitub = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjuomcexogmkbcqueicf.exe ." vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjuomcexogmkbcqueicf.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlrgzkhvhuvoawf = "tvfyvkldtkpmccpsbex.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "sryoiushuikeroyy.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sryoiushuikeroyy = "ijskguulaquqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "ijskguulaquqfeqsac.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "vzlgfwztlelkcetyjojnz.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijskguulaquqfeqsac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijskguulaquqfeqsac.exe" bqyqvqrmlai.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjuomcexogmkbcqueicf.exe ." vjfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sryoiushuikeroyy.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "gjuomcexogmkbcqueicf.exe ." vjfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfjwnwrdnyxoy = "tvfyvkldtkpmccpsbex.exe ." bqyqvqrmlai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfiuksmxgqoe = "vzlgfwztlelkcetyjojnz.exe" vjfkt.exe -
Checks whether UAC is enabled 1 TTPs 36 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bqyqvqrmlai.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vjfkt.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 www.whatismyip.ca 37 whatismyip.everdot.org 16 www.whatismyip.ca 20 whatismyipaddress.com 23 www.whatismyip.ca 24 www.showmyipaddress.com 32 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\nhjujqjtbkhwewbwxsdxzkzgzjraxmumr.nit vjfkt.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe vjfkt.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\SysWOW64\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\nhjujqjtbkhwewbwxsdxzkzgzjraxmumr.nit vjfkt.exe File opened for modification C:\Program Files (x86)\wfwwawedaykolsmwmwwfww.wed vjfkt.exe File created C:\Program Files (x86)\wfwwawedaykolsmwmwwfww.wed vjfkt.exe File opened for modification C:\Program Files (x86)\nhjujqjtbkhwewbwxsdxzkzgzjraxmumr.nit vjfkt.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe vjfkt.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe vjfkt.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe vjfkt.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe vjfkt.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe vjfkt.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\tvfyvkldtkpmccpsbex.exe bqyqvqrmlai.exe File created C:\Windows\nhjujqjtbkhwewbwxsdxzkzgzjraxmumr.nit vjfkt.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\vzlgfwztlelkcetyjojnz.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\zzhytgfvjybwkitub.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\gjuomcexogmkbcqueicf.exe bqyqvqrmlai.exe File opened for modification C:\Windows\mreaaswrkemmfiyeqwsxkg.exe bqyqvqrmlai.exe File opened for modification C:\Windows\ijskguulaquqfeqsac.exe bqyqvqrmlai.exe File opened for modification C:\Windows\sryoiushuikeroyy.exe bqyqvqrmlai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sryoiushuikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sryoiushuikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sryoiushuikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bqyqvqrmlai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ijskguulaquqfeqsac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sryoiushuikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vzlgfwztlelkcetyjojnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sryoiushuikeroyy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zzhytgfvjybwkitub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gjuomcexogmkbcqueicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfyvkldtkpmccpsbex.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 1880 vjfkt.exe 1880 vjfkt.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 1880 vjfkt.exe 1880 vjfkt.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 vjfkt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5664 wrote to memory of 6028 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 89 PID 5664 wrote to memory of 6028 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 89 PID 5664 wrote to memory of 6028 5664 JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe 89 PID 5428 wrote to memory of 928 5428 cmd.exe 92 PID 5428 wrote to memory of 928 5428 cmd.exe 92 PID 5428 wrote to memory of 928 5428 cmd.exe 92 PID 4672 wrote to memory of 4724 4672 cmd.exe 95 PID 4672 wrote to memory of 4724 4672 cmd.exe 95 PID 4672 wrote to memory of 4724 4672 cmd.exe 95 PID 4724 wrote to memory of 4708 4724 gjuomcexogmkbcqueicf.exe 96 PID 4724 wrote to memory of 4708 4724 gjuomcexogmkbcqueicf.exe 96 PID 4724 wrote to memory of 4708 4724 gjuomcexogmkbcqueicf.exe 96 PID 4692 wrote to memory of 3532 4692 cmd.exe 101 PID 4692 wrote to memory of 3532 4692 cmd.exe 101 PID 4692 wrote to memory of 3532 4692 cmd.exe 101 PID 1944 wrote to memory of 4872 1944 cmd.exe 105 PID 1944 wrote to memory of 4872 1944 cmd.exe 105 PID 1944 wrote to memory of 4872 1944 cmd.exe 105 PID 3524 wrote to memory of 708 3524 cmd.exe 109 PID 3524 wrote to memory of 708 3524 cmd.exe 109 PID 3524 wrote to memory of 708 3524 cmd.exe 109 PID 4872 wrote to memory of 4260 4872 vzlgfwztlelkcetyjojnz.exe 112 PID 4872 wrote to memory of 4260 4872 vzlgfwztlelkcetyjojnz.exe 112 PID 4872 wrote to memory of 4260 4872 vzlgfwztlelkcetyjojnz.exe 112 PID 2008 wrote to memory of 5416 2008 cmd.exe 113 PID 2008 wrote to memory of 5416 2008 cmd.exe 113 PID 2008 wrote to memory of 5416 2008 cmd.exe 113 PID 2376 wrote to memory of 4248 2376 cmd.exe 114 PID 2376 wrote to memory of 4248 2376 cmd.exe 114 PID 2376 wrote to memory of 4248 2376 cmd.exe 114 PID 1744 wrote to memory of 5116 1744 cmd.exe 115 PID 1744 wrote to memory of 5116 1744 cmd.exe 115 PID 1744 wrote to memory of 5116 1744 cmd.exe 115 PID 4248 wrote to memory of 6104 4248 tvfyvkldtkpmccpsbex.exe 189 PID 4248 wrote to memory of 6104 4248 tvfyvkldtkpmccpsbex.exe 189 PID 4248 wrote to memory of 6104 4248 tvfyvkldtkpmccpsbex.exe 189 PID 5116 wrote to memory of 5248 5116 zzhytgfvjybwkitub.exe 117 PID 5116 wrote to memory of 5248 5116 zzhytgfvjybwkitub.exe 117 PID 5116 wrote to memory of 5248 5116 zzhytgfvjybwkitub.exe 117 PID 6028 wrote to memory of 1880 6028 bqyqvqrmlai.exe 119 PID 6028 wrote to memory of 1880 6028 bqyqvqrmlai.exe 119 PID 6028 wrote to memory of 1880 6028 bqyqvqrmlai.exe 119 PID 6028 wrote to memory of 1840 6028 bqyqvqrmlai.exe 120 PID 6028 wrote to memory of 1840 6028 bqyqvqrmlai.exe 120 PID 6028 wrote to memory of 1840 6028 bqyqvqrmlai.exe 120 PID 6040 wrote to memory of 3328 6040 cmd.exe 123 PID 6040 wrote to memory of 3328 6040 cmd.exe 123 PID 6040 wrote to memory of 3328 6040 cmd.exe 123 PID 3008 wrote to memory of 6132 3008 cmd.exe 306 PID 3008 wrote to memory of 6132 3008 cmd.exe 306 PID 3008 wrote to memory of 6132 3008 cmd.exe 306 PID 2664 wrote to memory of 452 2664 cmd.exe 131 PID 2664 wrote to memory of 452 2664 cmd.exe 131 PID 2664 wrote to memory of 452 2664 cmd.exe 131 PID 5504 wrote to memory of 5668 5504 cmd.exe 132 PID 5504 wrote to memory of 5668 5504 cmd.exe 132 PID 5504 wrote to memory of 5668 5504 cmd.exe 132 PID 6132 wrote to memory of 364 6132 ijskguulaquqfeqsac.exe 138 PID 6132 wrote to memory of 364 6132 ijskguulaquqfeqsac.exe 138 PID 6132 wrote to memory of 364 6132 ijskguulaquqfeqsac.exe 138 PID 2148 wrote to memory of 3056 2148 cmd.exe 140 PID 2148 wrote to memory of 3056 2148 cmd.exe 140 PID 2148 wrote to memory of 3056 2148 cmd.exe 140 PID 3068 wrote to memory of 5612 3068 cmd.exe 149 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vjfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bqyqvqrmlai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vjfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bqyqvqrmlai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4fe986f603c8689f0e3be5b60cc856e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b4fe986f603c8689f0e3be5b60cc856e.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\vjfkt.exe"C:\Users\Admin\AppData\Local\Temp\vjfkt.exe" "-C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\vjfkt.exe"C:\Users\Admin\AppData\Local\Temp\vjfkt.exe" "-C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5428 -
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵
- Executes dropped EXE
PID:4260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵
- Executes dropped EXE
PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵
- Executes dropped EXE
PID:6104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6040 -
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵
- Executes dropped EXE
PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵
- Executes dropped EXE
PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4252
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵
- Executes dropped EXE
PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:5924
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵
- Executes dropped EXE
PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵
- Executes dropped EXE
PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵
- Executes dropped EXE
PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵
- Executes dropped EXE
PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:4764
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵
- Executes dropped EXE
PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:4996
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:5236
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵
- Executes dropped EXE
PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:2120
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:4120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6104
-
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵
- Executes dropped EXE
PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵
- Executes dropped EXE
PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:1336
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵
- Executes dropped EXE
PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:5680
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5932 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵
- Executes dropped EXE
PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5792
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵
- Executes dropped EXE
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4908
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵
- Executes dropped EXE
PID:5624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:2468
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Executes dropped EXE
PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:3852
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵
- Executes dropped EXE
PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:4368
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵
- Executes dropped EXE
PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵
- Executes dropped EXE
PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:1300
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:3672
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:4720
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2996
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:3796
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
PID:708 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:3848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4900
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:712
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:5900
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:5380
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:5532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6132
-
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:5876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:996
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:3752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6128
-
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4156
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:4744
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:3744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:3876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:4916
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:4596
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2104
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2904
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:2808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:3452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:2716
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:2044
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:5604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:1556
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:5900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:3884
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:3060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5844
-
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:1544
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:2956
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5204
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:3592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:1156
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:1196
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5020
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:692 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:4088
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:3836
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5808
-
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:5248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4772
-
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:5164
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
PID:424 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:5372
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:4172
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:1308
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
PID:404 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:1276
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:3684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2508
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:5336
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:2464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:5308
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:5176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:3432
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:2172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:4168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3028
-
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:1360
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:3840
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:2824
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:3924
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2684
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵
- Checks computer location settings
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:3080
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:648
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵
- Checks computer location settings
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:5460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:5104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1108
-
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:1244
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:364 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:3104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵
- Checks computer location settings
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:3068
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2268
-
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:2000
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:2104
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵
- Checks computer location settings
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5216
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:3032
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:1200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:2168
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:4600
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:3860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:452
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:3420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2924
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵
- Checks computer location settings
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4888
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:1096
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:6012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵
- Checks computer location settings
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:2272
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:2856
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:4464
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:392
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2208
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:5464
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:5244
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:3772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:3712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3840
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2136
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:5988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:4304
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:3484
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:4716
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:5080
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:6136
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2292
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:4472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1196
-
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:5640
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:4952
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:5556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:3588
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:4748
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:2564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2252
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:3060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5892
-
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:5844
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5748
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:1420
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:3452
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:4508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:1800
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5320
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:4472
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5508
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:5920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:5740
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:2820
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:404
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe .1⤵PID:3860
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe .2⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\gjuomcexogmkbcqueicf.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:3836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5600
-
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:4632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2352
-
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:1464
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:5284
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:1600
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:1348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:3608
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:3448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:2996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:2144
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:772
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:3080
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:5724
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:3772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5320
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:4708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2856
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:1124
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5504
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:1276
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:5576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2912
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:912
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:5812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:4304
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:5512
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:6064
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:5204
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:5344
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:3296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:6132
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:3772
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:4492
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2124
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:1812
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:372
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:3148
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2824
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:4156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:2112
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:5720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:6128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:4000
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:4692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:6136
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5080
-
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:1712
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:4376
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:3612
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:1760
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3672
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:392
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2148
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:372
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:2088
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:2184
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4320
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:1348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:5532
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:5668
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:3168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2168
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:5888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:4452
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:6008
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:4980
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:1688
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:5832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5980
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:1580
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:5272
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:2148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:4756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5308
-
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:2700
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:3428
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:1748
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:5532
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5252
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:6008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:772
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:3484
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:4672
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:4684
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:4488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2172
-
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:3152
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:3600
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:5500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:2924
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe .1⤵PID:568
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe .2⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\ijskguulaquqfeqsac.exe*."3⤵PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:4756
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:4932
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe .2⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exeC:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .2⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\sryoiushuikeroyy.exe*."3⤵PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:1156
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe .1⤵PID:1472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5680
-
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe .2⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\tvfyvkldtkpmccpsbex.exe*."3⤵PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tvfyvkldtkpmccpsbex.exe1⤵PID:1096
-
C:\Windows\tvfyvkldtkpmccpsbex.exetvfyvkldtkpmccpsbex.exe2⤵PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:3236
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:1532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gjuomcexogmkbcqueicf.exe1⤵PID:3364
-
C:\Windows\gjuomcexogmkbcqueicf.exegjuomcexogmkbcqueicf.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:5256
-
C:\Windows\vzlgfwztlelkcetyjojnz.exevzlgfwztlelkcetyjojnz.exe .2⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\vzlgfwztlelkcetyjojnz.exe*."3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exeC:\Users\Admin\AppData\Local\Temp\zzhytgfvjybwkitub.exe .2⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\zzhytgfvjybwkitub.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ijskguulaquqfeqsac.exe1⤵PID:3508
-
C:\Windows\ijskguulaquqfeqsac.exeijskguulaquqfeqsac.exe2⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4004
-
-
C:\Windows\zzhytgfvjybwkitub.exezzhytgfvjybwkitub.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\zzhytgfvjybwkitub.exe*."3⤵PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe1⤵PID:4276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe .1⤵PID:5868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe1⤵PID:5980
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:5932
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zzhytgfvjybwkitub.exe1⤵PID:5640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sryoiushuikeroyy.exe .1⤵PID:5708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exeC:\Users\Admin\AppData\Local\Temp\vzlgfwztlelkcetyjojnz.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe .2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\ijskguulaquqfeqsac.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe .1⤵PID:2448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vzlgfwztlelkcetyjojnz.exe1⤵PID:5228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sryoiushuikeroyy.exe .1⤵PID:5556
-
C:\Windows\sryoiushuikeroyy.exesryoiushuikeroyy.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\windows\sryoiushuikeroyy.exe*."3⤵PID:5292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:1832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exeC:\Users\Admin\AppData\Local\Temp\ijskguulaquqfeqsac.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exeC:\Users\Admin\AppData\Local\Temp\tvfyvkldtkpmccpsbex.exe .2⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\tvfyvkldtkpmccpsbex.exe*."3⤵PID:3296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .2⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe"C:\Users\Admin\AppData\Local\Temp\bqyqvqrmlai.exe" "c:\users\admin\appdata\local\temp\gjuomcexogmkbcqueicf.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exeC:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe2⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjuomcexogmkbcqueicf.exe .1⤵PID:3304
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD568c4f43c08ccb99b630d4bdbc0a667f0
SHA1ef58c244be729edf55a8f7898b8f6b419716e7a9
SHA256c2aee4ded4057ab74d23fb2e52d514b6e566452d2d4c953a2dd898432e8b0424
SHA5120c8ea829653652b4b7fdfdc8928449bda8afdfd865a0cbb80305bd0b8637f72c125c8ada048fec2d7eb652bdd07e523d12481539d0ac5a4a02bcc326db6d9df6
-
Filesize
272B
MD50fe93ce1562e05423bede9286c184003
SHA14db20eadf16146e5334069c95ec2d5cd9cf8249d
SHA256e3cd77df09d99a7a71b09e1e877ad0e08770c2ba05cd70cc96254e340f829fcf
SHA512253b69560c11160ccf633c95501da81def36fda338971ff6cd3d31915f36bdd101528f3cc95c9093eae0b24fd24993cbe6c403e4180e74ddb7bae6feebb9df4f
-
Filesize
272B
MD50f02e4a074f360baf10a66719955d256
SHA1617798dc5ecc89d7b7319fff6182facf32fc3cea
SHA256e5f1b155b3c43d918c3e16a9667f51af4961c37f21ba20c14d09b016cdbd47dd
SHA5121ca029eb48d8a65b531b9d5b88b5d35b348caff8055de55fac3fdbf1ae40e91a53772e10a8aac1277ae3f3863e33fd04d0636ab25804fd20abcfaaff2a9d3e89
-
Filesize
272B
MD55b961d61563cfa21722a7d287f1dc4f2
SHA16f30858af64e4789b6e35d39088e1d840b2ac333
SHA25693cd4a25886dfd34b1a0c531458d448054d8c430ca922276c23b0cdab11b6e97
SHA51270442406d040d80c5dfc2980c59ee8a30ab1c3f159dac28add4a368442106927e88af7f80ef37b7dbc06f52fa97b7e3906841f0c29aa2d056e4cbfc6bcde04ef
-
Filesize
272B
MD59fde5ecb0d6e6dfbdb6a69df75ac26fb
SHA11d4f3d23aebd2644c5062a353ab183ced4fff25e
SHA25679f12a614084732beb1f42ada199bcd7b70a883451c1ac7651f0ba1c48f63b3e
SHA512006be5f732619812dff0d25a367ac4788516e573ea649aeb05312c86d19e919979fc9f35df8cf2f3827d44c967f6d491f9610565a11ef674d66a8235bc97bfcc
-
Filesize
320KB
MD5eb09c682903ecbd87f30b0366e008d8f
SHA159b0dc27c06ce536327490439a37751a3dbd5e38
SHA256c4b122f7bab30363b472a3dffb8a7c61604c0ec4719ebd233ccbac8be0951be1
SHA51283236c0955b81375666c10445d2cf5e4723b24e42e4ee5fb951f53945483be2fff5c8ef167f08cfad3accc162c61e750bb1039edbf09e26afe18cba2f994eb5d
-
Filesize
724KB
MD597ad6ac6b09531dc74ee709de60a1d75
SHA1c5243821a689a6e36b9947e64dc524895e4850d6
SHA2560d9b4b830436abbeb913536e9d2d22eaa6d1e70557bb0d70c317edde4f2b8bbe
SHA51290bfa6e14f218e66b315cb14968fbb3fa3d0ea0da4993e24fab7c61ca8a3b207fa0a27b122c37404925b71a5defabac1fe832c310123f1f481176cdaba52b23e
-
Filesize
3KB
MD53ab3c1f7f7a079031fc5657141c7187f
SHA12ec8dc0d32cb0b999729dba7ec491ec1eb010ad9
SHA25667075c6e247a627e8f38abf21bb3cd819f00724625917843e8e9ba5276e7f7c0
SHA512e00abf8abcaafcc4c0ed6f746298ab6bf074b4753424e544857e19339196542df4e2fe9baccde04222bdf99266f9450248eeb691ca7244d5f1c6afb28883081a
-
Filesize
272B
MD5fc61fef3961dad0d51051ebb28fa4225
SHA17e69a767389e8a76a60e30a1a9337f58170a75cb
SHA256fba53af4f112be79c4ccea3663cd2a3b6e85a4e699b81577ff7d4123a2c8aded
SHA512e77381bb8b39ae06a7f76bb2f63401f54796729177f9dd2f40cca6eca5c25d4c8683fe1f14a9fd91d37b02b04f16f0638eeefc3b210afe1acdc7948832051746
-
Filesize
524KB
MD5b4fe986f603c8689f0e3be5b60cc856e
SHA14989bebdf2b66cec09efe777715577b21e5fec5e
SHA256ce16cfb716ea2a3ebb272428883f5b7375f2b38c5eeff3c4e455baa9a9fb0168
SHA512b5b057b7d9a79abd6d857c50767075e480bd3bb3d6dee512c9d517c851e242e42d0e05263010c719b870308bc728908345310280c2b3431a72b8ffc50533b94e