Analysis
-
max time kernel
44s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
13/04/2025, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe
-
Size
820KB
-
MD5
b58392cb5dabc4b3851447d47255d4f1
-
SHA1
4d5beb6e75c2774efe4451caf7fd1ba2ad548e76
-
SHA256
108e977f71759ac7d303ca9a76b33c440a70f94a68a3e603704afe85de849692
-
SHA512
53555d5b931fbe748f2679479bfb57ad4560cd2fcf351799b24717d85168d0f96125217d91ee125a26016ed77c30cc5123315c51846aa107ea1681b8682c7c0a
-
SSDEEP
6144:Rj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionyS:B6onxOp8FySpE5zvIdtU+Ymef
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" qjfmnzhratp.exe -
Pykspa family
-
UAC bypass 3 TTPs 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtschn.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00090000000229e2-4.dat family_pykspa behavioral1/files/0x000b000000024014-85.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "vpyshxljskzxykqh.exe" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "vpyshxljskzxykqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cpremvctv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndiyjvfzesdx = "cxhcsjyxhaqpreldr.exe" qjfmnzhratp.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 47 5936 Process not Found 51 5936 Process not Found 66 5936 Process not Found -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation qjfmnzhratp.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation jhuslfxzmibdiyidunfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation wtfcunefrmefjyhbrja.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation cxhcsjyxhaqpreldr.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation lhsofxnnysjjmaibqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation vpyshxljskzxykqh.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation yxlkezsvjgadjalhztmlz.exe -
Executes dropped EXE 64 IoCs
pid Process 4608 qjfmnzhratp.exe 4244 jhuslfxzmibdiyidunfd.exe 1844 wtfcunefrmefjyhbrja.exe 5116 qjfmnzhratp.exe 4228 wtfcunefrmefjyhbrja.exe 5180 vpyshxljskzxykqh.exe 4684 vpyshxljskzxykqh.exe 3616 lhsofxnnysjjmaibqh.exe 5844 qjfmnzhratp.exe 1984 qjfmnzhratp.exe 1304 jhuslfxzmibdiyidunfd.exe 1904 cxhcsjyxhaqpreldr.exe 3856 qjfmnzhratp.exe 4016 jtschn.exe 3260 jtschn.exe 2944 vpyshxljskzxykqh.exe 4424 cxhcsjyxhaqpreldr.exe 2732 cxhcsjyxhaqpreldr.exe 4396 vpyshxljskzxykqh.exe 2708 jhuslfxzmibdiyidunfd.exe 1032 qjfmnzhratp.exe 5432 vpyshxljskzxykqh.exe 908 qjfmnzhratp.exe 5536 vpyshxljskzxykqh.exe 5464 lhsofxnnysjjmaibqh.exe 2284 wtfcunefrmefjyhbrja.exe 4896 qjfmnzhratp.exe 4676 jhuslfxzmibdiyidunfd.exe 3172 vpyshxljskzxykqh.exe 2924 jhuslfxzmibdiyidunfd.exe 5540 yxlkezsvjgadjalhztmlz.exe 3524 cxhcsjyxhaqpreldr.exe 4512 qjfmnzhratp.exe 1640 vpyshxljskzxykqh.exe 5192 qjfmnzhratp.exe 5868 qjfmnzhratp.exe 1468 vpyshxljskzxykqh.exe 624 qjfmnzhratp.exe 3288 wtfcunefrmefjyhbrja.exe 404 cxhcsjyxhaqpreldr.exe 2104 vpyshxljskzxykqh.exe 3880 qjfmnzhratp.exe 5440 qjfmnzhratp.exe 3844 jhuslfxzmibdiyidunfd.exe 2668 yxlkezsvjgadjalhztmlz.exe 3856 yxlkezsvjgadjalhztmlz.exe 2788 qjfmnzhratp.exe 1940 qjfmnzhratp.exe 5004 vpyshxljskzxykqh.exe 2184 jhuslfxzmibdiyidunfd.exe 3764 qjfmnzhratp.exe 4996 yxlkezsvjgadjalhztmlz.exe 5908 lhsofxnnysjjmaibqh.exe 2428 qjfmnzhratp.exe 772 wtfcunefrmefjyhbrja.exe 1516 jhuslfxzmibdiyidunfd.exe 5992 jhuslfxzmibdiyidunfd.exe 5584 lhsofxnnysjjmaibqh.exe 5464 yxlkezsvjgadjalhztmlz.exe 4736 qjfmnzhratp.exe 232 wtfcunefrmefjyhbrja.exe 2508 wtfcunefrmefjyhbrja.exe 4352 wtfcunefrmefjyhbrja.exe 5188 qjfmnzhratp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jtschn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jtschn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys jtschn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc jtschn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager jtschn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys jtschn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "lhsofxnnysjjmaibqh.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vpyshxljskzxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "wtfcunefrmefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vpyshxljskzxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "lhsofxnnysjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "vpyshxljskzxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "lhsofxnnysjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "cxhcsjyxhaqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vpyshxljskzxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "wtfcunefrmefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "wtfcunefrmefjyhbrja.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "yxlkezsvjgadjalhztmlz.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "cxhcsjyxhaqpreldr.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "yxlkezsvjgadjalhztmlz.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "yxlkezsvjgadjalhztmlz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vpyshxljskzxykqh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "vpyshxljskzxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "vpyshxljskzxykqh.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "vpyshxljskzxykqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "jhuslfxzmibdiyidunfd.exe ." jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "cxhcsjyxhaqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "jhuslfxzmibdiyidunfd.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "lhsofxnnysjjmaibqh.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpyshxljskzxykqh.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "lhsofxnnysjjmaibqh.exe" qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmajtbtwi = "jhuslfxzmibdiyidunfd.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mdjamzkflamhf = "vpyshxljskzxykqh.exe" jtschn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nfmerfrnukxtsc = "wtfcunefrmefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxlkezsvjgadjalhztmlz.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "wtfcunefrmefjyhbrja.exe ." jtschn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfcunefrmefjyhbrja.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhuslfxzmibdiyidunfd.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfjyitcvzmw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhcsjyxhaqpreldr.exe ." qjfmnzhratp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qjrkynaxfwkhhsx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhsofxnnysjjmaibqh.exe ." qjfmnzhratp.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jtschn.exe -
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 whatismyip.everdot.org 13 www.whatismyip.ca 16 whatismyip.everdot.org 26 www.showmyipaddress.com 37 whatismyip.everdot.org 18 whatismyipaddress.com 24 www.whatismyip.ca 29 whatismyip.everdot.org 32 www.whatismyip.ca 45 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\zdwazzxfyazhsoefcbzdwa.zxf jtschn.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File created C:\Windows\SysWOW64\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe jtschn.exe File opened for modification C:\Windows\SysWOW64\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\SysWOW64\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\zdwazzxfyazhsoefcbzdwa.zxf jtschn.exe File opened for modification C:\Program Files (x86)\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File created C:\Program Files (x86)\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File opened for modification C:\Program Files (x86)\zdwazzxfyazhsoefcbzdwa.zxf jtschn.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe jtschn.exe File opened for modification C:\Windows\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\zdwazzxfyazhsoefcbzdwa.zxf jtschn.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe jtschn.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File created C:\Windows\zdwazzxfyazhsoefcbzdwa.zxf jtschn.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe jtschn.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe jtschn.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe jtschn.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\vpyshxljskzxykqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\cxhcsjyxhaqpreldr.exe qjfmnzhratp.exe File created C:\Windows\qfjyitcvzmwplstfnxgvzoyjslpcmfbij.dnw jtschn.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\wtfcunefrmefjyhbrja.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\yxlkezsvjgadjalhztmlz.exe qjfmnzhratp.exe File opened for modification C:\Windows\jhuslfxzmibdiyidunfd.exe jtschn.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe File opened for modification C:\Windows\lhsofxnnysjjmaibqh.exe qjfmnzhratp.exe File opened for modification C:\Windows\ppeezvptigbfmeqngbvvkk.exe qjfmnzhratp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qjfmnzhratp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhcsjyxhaqpreldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhuslfxzmibdiyidunfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpyshxljskzxykqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfcunefrmefjyhbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhsofxnnysjjmaibqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxlkezsvjgadjalhztmlz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 4016 jtschn.exe 4016 jtschn.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 4016 jtschn.exe 4016 jtschn.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4016 jtschn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4608 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 88 PID 3164 wrote to memory of 4608 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 88 PID 3164 wrote to memory of 4608 3164 JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe 88 PID 5000 wrote to memory of 4244 5000 cmd.exe 93 PID 5000 wrote to memory of 4244 5000 cmd.exe 93 PID 5000 wrote to memory of 4244 5000 cmd.exe 93 PID 1344 wrote to memory of 1844 1344 cmd.exe 96 PID 1344 wrote to memory of 1844 1344 cmd.exe 96 PID 1344 wrote to memory of 1844 1344 cmd.exe 96 PID 1844 wrote to memory of 5116 1844 wtfcunefrmefjyhbrja.exe 101 PID 1844 wrote to memory of 5116 1844 wtfcunefrmefjyhbrja.exe 101 PID 1844 wrote to memory of 5116 1844 wtfcunefrmefjyhbrja.exe 101 PID 2792 wrote to memory of 4228 2792 cmd.exe 102 PID 2792 wrote to memory of 4228 2792 cmd.exe 102 PID 2792 wrote to memory of 4228 2792 cmd.exe 102 PID 5288 wrote to memory of 5180 5288 cmd.exe 105 PID 5288 wrote to memory of 5180 5288 cmd.exe 105 PID 5288 wrote to memory of 5180 5288 cmd.exe 105 PID 1468 wrote to memory of 4684 1468 cmd.exe 108 PID 1468 wrote to memory of 4684 1468 cmd.exe 108 PID 1468 wrote to memory of 4684 1468 cmd.exe 108 PID 5656 wrote to memory of 3616 5656 cmd.exe 109 PID 5656 wrote to memory of 3616 5656 cmd.exe 109 PID 5656 wrote to memory of 3616 5656 cmd.exe 109 PID 5180 wrote to memory of 5844 5180 vpyshxljskzxykqh.exe 110 PID 5180 wrote to memory of 5844 5180 vpyshxljskzxykqh.exe 110 PID 5180 wrote to memory of 5844 5180 vpyshxljskzxykqh.exe 110 PID 3616 wrote to memory of 1984 3616 lhsofxnnysjjmaibqh.exe 275 PID 3616 wrote to memory of 1984 3616 lhsofxnnysjjmaibqh.exe 275 PID 3616 wrote to memory of 1984 3616 lhsofxnnysjjmaibqh.exe 275 PID 1744 wrote to memory of 1304 1744 cmd.exe 116 PID 1744 wrote to memory of 1304 1744 cmd.exe 116 PID 1744 wrote to memory of 1304 1744 cmd.exe 116 PID 2648 wrote to memory of 1904 2648 cmd.exe 290 PID 2648 wrote to memory of 1904 2648 cmd.exe 290 PID 2648 wrote to memory of 1904 2648 cmd.exe 290 PID 1904 wrote to memory of 3856 1904 cxhcsjyxhaqpreldr.exe 294 PID 1904 wrote to memory of 3856 1904 cxhcsjyxhaqpreldr.exe 294 PID 1904 wrote to memory of 3856 1904 cxhcsjyxhaqpreldr.exe 294 PID 4608 wrote to memory of 4016 4608 qjfmnzhratp.exe 119 PID 4608 wrote to memory of 4016 4608 qjfmnzhratp.exe 119 PID 4608 wrote to memory of 4016 4608 qjfmnzhratp.exe 119 PID 4608 wrote to memory of 3260 4608 qjfmnzhratp.exe 120 PID 4608 wrote to memory of 3260 4608 qjfmnzhratp.exe 120 PID 4608 wrote to memory of 3260 4608 qjfmnzhratp.exe 120 PID 4320 wrote to memory of 2944 4320 cmd.exe 126 PID 4320 wrote to memory of 2944 4320 cmd.exe 126 PID 4320 wrote to memory of 2944 4320 cmd.exe 126 PID 1220 wrote to memory of 4424 1220 cmd.exe 129 PID 1220 wrote to memory of 4424 1220 cmd.exe 129 PID 1220 wrote to memory of 4424 1220 cmd.exe 129 PID 1516 wrote to memory of 2732 1516 cmd.exe 222 PID 1516 wrote to memory of 2732 1516 cmd.exe 222 PID 1516 wrote to memory of 2732 1516 cmd.exe 222 PID 1000 wrote to memory of 4396 1000 cmd.exe 145 PID 1000 wrote to memory of 4396 1000 cmd.exe 145 PID 1000 wrote to memory of 4396 1000 cmd.exe 145 PID 1600 wrote to memory of 2708 1600 cmd.exe 146 PID 1600 wrote to memory of 2708 1600 cmd.exe 146 PID 1600 wrote to memory of 2708 1600 cmd.exe 146 PID 2732 wrote to memory of 1032 2732 cxhcsjyxhaqpreldr.exe 148 PID 2732 wrote to memory of 1032 2732 cxhcsjyxhaqpreldr.exe 148 PID 2732 wrote to memory of 1032 2732 cxhcsjyxhaqpreldr.exe 148 PID 4292 wrote to memory of 5432 4292 cmd.exe 152 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" qjfmnzhratp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qjfmnzhratp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtschn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jtschn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System qjfmnzhratp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58392cb5dabc4b3851447d47255d4f1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b58392cb5dabc4b3851447d47255d4f1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\jtschn.exe"C:\Users\Admin\AppData\Local\Temp\jtschn.exe" "-C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\jtschn.exe"C:\Users\Admin\AppData\Local\Temp\jtschn.exe" "-C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵
- Executes dropped EXE
PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5288 -
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵
- Executes dropped EXE
PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5656 -
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵
- Executes dropped EXE
PID:3856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Executes dropped EXE
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵
- Executes dropped EXE
PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5432 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵
- Executes dropped EXE
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:4356
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2424
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵
- Executes dropped EXE
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵
- Executes dropped EXE
PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵
- Executes dropped EXE
PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵
- Executes dropped EXE
PID:3524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5540 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵
- Executes dropped EXE
PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵
- Executes dropped EXE
PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4840
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:4872
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4452
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5508
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵
- Executes dropped EXE
PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵
- Executes dropped EXE
PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵
- Executes dropped EXE
PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:2808
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵
- Executes dropped EXE
PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:2916
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:3532
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵
- Executes dropped EXE
PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:1740
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵
- Executes dropped EXE
PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:6092
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:4612
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵
- Executes dropped EXE
PID:5992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵
- Executes dropped EXE
PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:4464
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:5612
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4768
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4808
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:2200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:4956
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:4676
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:2224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:2420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:6076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:4264
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:1904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:4232
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:1584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3856
-
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:5884
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:1792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:4784
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2092
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4212
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:1216
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:3796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:404
-
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:5268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3880
-
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:4788
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5472
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:1472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:5232 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:5036
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:3432
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:3668
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:2400
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:5056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:1612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:628
-
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2600
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:5240
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:2624
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:4756
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:4000
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:5764
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:4820
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:5116
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4156
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:4596
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:372
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:1208
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:5868
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:3944
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:324 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:5972
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:4236
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:5660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:2660
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:1276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:5644
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:6088
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:5052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5464
-
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:5516 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:3020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:2216
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:3796
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5364
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5816
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:5004
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:4320
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:1032
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:5100
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:848 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:1592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:1012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1828
-
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:1796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6000
-
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:3092
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2944
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:4740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:5612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:3880
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:3024
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:5844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5376
-
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:4080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:5088
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:464 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:1232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5932
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:3000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3700
-
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:324
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:1488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:5976
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:2660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:4996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:6108
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:1808
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:5308
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5500
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:2424
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:2628
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:5492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:680
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:5564
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:1080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:6028
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:1904
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4080
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:3188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:4564
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:5932 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:1032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:2732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:5812
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:3764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵
- Checks computer location settings
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3380
-
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:5944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5512
-
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:232 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:2816
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:3848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5192
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- Checks computer location settings
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:3092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:3964
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:5572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4568
-
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:2400
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:3452
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:1460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:5928
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:2908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:3936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:5032
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:1536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:1832
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:632
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:4644
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:6056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5644
-
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:4580
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:4464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:4228
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:1488
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:1792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5192
-
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5600
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:5356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:3644
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4936
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:976
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:1052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:2232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:4384
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:3204
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:1396
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:3984
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:5580
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5996
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:5372
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:3780
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:1736
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:2044
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:5588
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:1488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1144
-
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:516
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:3832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:3332
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:3628
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:4072
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:4224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:3600
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:3328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5656
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:5976
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:3156
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:2068
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:4424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:544
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:4516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6132
-
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:2304
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:3264
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:516
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:1844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:4120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:3848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:1684
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:1824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:5272
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:2708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4740
-
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:3452
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:3568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:4200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:1488
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:2236
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:4636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:5400
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5768
-
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:6108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:6096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5088
-
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:4172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1140
-
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:3672
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:1844
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:1356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:6128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:2600
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:3760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:3860
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:2424
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:1568
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:1972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:5984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:4212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:2200
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:2268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:3884
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:5916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2732
-
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:2428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:3292
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:4492
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:5456
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:1976
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:2940
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:944
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:4516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2384
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:4620
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe .1⤵PID:6140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5284
-
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe .2⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:5844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:5660
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:4076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:4320
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:3492
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:5440
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:3312
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:2204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe .2⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\cxhcsjyxhaqpreldr.exe*."3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe1⤵PID:4736
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:908
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:4592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:4732
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:2284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5000
-
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:1272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxlkezsvjgadjalhztmlz.exe1⤵PID:4964
-
C:\Windows\yxlkezsvjgadjalhztmlz.exeyxlkezsvjgadjalhztmlz.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:6004
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:1208
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:2044
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:5892
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:4384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:5936
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:5420
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe2⤵PID:2528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe .1⤵PID:4748
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe .2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\cxhcsjyxhaqpreldr.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .1⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\yxlkezsvjgadjalhztmlz.exe*."3⤵PID:2200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\jhuslfxzmibdiyidunfd.exe*."3⤵PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe1⤵PID:4104
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:3460
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:2072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:1572
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:908
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exeC:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe1⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\vpyshxljskzxykqh.exe*."3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:5164
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:5800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:2148
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\jhuslfxzmibdiyidunfd.exe*."3⤵PID:5372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:5572
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe .1⤵PID:2292
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe .2⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\lhsofxnnysjjmaibqh.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe1⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exeC:\Users\Admin\AppData\Local\Temp\yxlkezsvjgadjalhztmlz.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:2892
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .1⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exeC:\Users\Admin\AppData\Local\Temp\lhsofxnnysjjmaibqh.exe .2⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\lhsofxnnysjjmaibqh.exe*."3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhsofxnnysjjmaibqh.exe1⤵PID:4676
-
C:\Windows\lhsofxnnysjjmaibqh.exelhsofxnnysjjmaibqh.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:3896
-
C:\Windows\wtfcunefrmefjyhbrja.exewtfcunefrmefjyhbrja.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\wtfcunefrmefjyhbrja.exe*."3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe1⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe2⤵PID:5476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpyshxljskzxykqh.exe .1⤵PID:4432
-
C:\Windows\vpyshxljskzxykqh.exevpyshxljskzxykqh.exe .2⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\windows\vpyshxljskzxykqh.exe*."3⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .1⤵PID:5880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6096
-
-
C:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exeC:\Users\Admin\AppData\Local\Temp\wtfcunefrmefjyhbrja.exe .2⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe"C:\Users\Admin\AppData\Local\Temp\qjfmnzhratp.exe" "c:\users\admin\appdata\local\temp\wtfcunefrmefjyhbrja.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhcsjyxhaqpreldr.exe1⤵PID:5172
-
C:\Windows\cxhcsjyxhaqpreldr.execxhcsjyxhaqpreldr.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe1⤵PID:376
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfcunefrmefjyhbrja.exe .1⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuslfxzmibdiyidunfd.exe .1⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5472
-
-
C:\Windows\jhuslfxzmibdiyidunfd.exejhuslfxzmibdiyidunfd.exe .2⤵PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe1⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe2⤵PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exeC:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe2⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:4248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exeC:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .2⤵PID:4760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhcsjyxhaqpreldr.exe1⤵PID:932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpyshxljskzxykqh.exe .1⤵PID:1412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuslfxzmibdiyidunfd.exe1⤵PID:4604
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD520c61e66273ee648487c1b8a73e7e5fa
SHA1327fb1086e3ec6c716f5203e3110bbf11c6f838f
SHA25675591366b042fc70ea18317545377c7dd64da12d83c5e50b220b600d71d9ddfc
SHA5127d1de6e64b9c979d0b220e0027954aa3be0f81f017a4340096a3fa2309025043b8311926558c8b3a978d2742028ac56b9439dc945e636b0394921a3379e7cbf7
-
Filesize
272B
MD52af6cae85417546246cc9493d535976c
SHA1c2543f599db39563cde01f3bf9ac19ebec0e73b5
SHA2560c9d1db0e2b5efbcf66feb2ffb0410df7b53e415c7b37875299b53b02d87f80a
SHA5129b4da50da133b15c49f4c22706376915f561841165962f9538d1cc9f7202097e589b484dcd1b66aa5795998b1724c8ddd4a296d0a23d0893c8f01dee098e6aa1
-
Filesize
272B
MD5f6485b3bbcb3cc80259dd5f71fb8b402
SHA13a94e282de84b0720fd77ed486858aa07f6ed51f
SHA25654f1c566949b72dffaf6cbb593ab52e8086ce61b176ce1b957388881b8be2a41
SHA512e9f7e5530d4ae789f44f75acf3cf884b36b62e62c03c31fea11f593f7e957558bb94162e7a303757707f5624cf8499fb2448a5080c9965fec3dff9449c93a623
-
Filesize
272B
MD53870b31e4735220f26dab754597c5c4d
SHA115c08c7fd6830d238cbff744e765e2c13819cfc0
SHA25647cd8b27dd02ab38b0bdcc4fa09a8c28be2f74be58def9666afacb3e2d554642
SHA512d7006f20f9c32863e24e2dad17c9af545ec97d348d7ef7a160976c5c577c64b83606ba2fdbf8ac330c39fbbecf6a500f013aa8667eea5c2c09a1c223d23f7d90
-
Filesize
272B
MD5a6ca1c85032bacce08983c5fe483f1ed
SHA13aba128cf91de6bf9c37e686dc99ae5a5382482a
SHA2560a7b2233556493154ae0d670518bac0a5083709d33568a7b373db13678af2cc5
SHA5123544b6228b17bade3d88b22f3d0bdd2d8b8fc2a3366a524b49ab9c14a42b9348ef7654b451167f9d32cc164b9fc7d4ae4b9a4c3051210b39cf47b51020796045
-
Filesize
272B
MD5043d7455e08c11ebf081b3c816c06458
SHA17852c8cf9aece651f4e4f9a43051923e96b3b594
SHA2569e8f48061a908b9e0fe641f605246f729fb749c75e31419c7cab210c14ffd614
SHA5123ddc39fd8c5bc959bed9f160e73127a350ff7c0723eb284a1067646594608641795957f534ec05d4078824e61778c8642ef974cbdf7197fa00fea4957eb7a30a
-
Filesize
272B
MD57a8dceafc81fb04f687321de1f3f9ea6
SHA1c4e5dd47c43de81833a8a9af1e2f5507ee8de125
SHA2565869420c9533623239e4ddd07cc502408f1e565c8081c6b5d8462cab2086977d
SHA51222d14c683f41b72c3b92bd5021bfac031fcb274c3f55b4128589aed968f7cf02aba8fdfaa084a49195d846fd20efc811be73233e0c2f061fd174edf58383b7c1
-
Filesize
712KB
MD5ca4ca5f16cac6b57a29e736ac40495a2
SHA1adfd899287ec1f6df31b8835c2011e7151921122
SHA256885e368e07581eeced0d90ac5c7ecb560009a7af2f4575e1ad96cf549fe55fc1
SHA512fa6ee62b032a0e69e745ada3fe74fd6db016570f64f60295c1c5ed217e1f3b05bceec1f464d95ecc085fb834403d5f72dccc6cc840f2b9ae53dd417f31d97689
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
3KB
MD5566805e4505b062085a8e2c2fffec3e6
SHA116f3a28e37596408bb118ddc4695684bfd97f021
SHA2562b216002eb582f30595107b23a78a918979faf953cc202e838a0beb8c192dd40
SHA512f444fd94ab5a5645ac654e27bbd5dfd2b373ae07c970e8d37b79e17f5dbf009f0df8556eb46f28c7e2df9b776c25bcc54e44b846a35bd03495d4e9c574d16013
-
Filesize
272B
MD5384b69f2b892bbcc5c14054bcd02d6c1
SHA1190ade05041b38292fe9e7d6b1757c2829a2ac8f
SHA25687013945130f57c3d388b55433a732a95865d04bd410fb32aab26783f1666eb3
SHA5122f55fd2777fa6df6014db0e59a7bee57ae45dd9b149f8f31fe552e835bf2f495c7070da09cbada3a8aad91ee816c1d2e0d24a6e85fdb78588b60c09451e5a8b2
-
Filesize
820KB
MD5b58392cb5dabc4b3851447d47255d4f1
SHA14d5beb6e75c2774efe4451caf7fd1ba2ad548e76
SHA256108e977f71759ac7d303ca9a76b33c440a70f94a68a3e603704afe85de849692
SHA51253555d5b931fbe748f2679479bfb57ad4560cd2fcf351799b24717d85168d0f96125217d91ee125a26016ed77c30cc5123315c51846aa107ea1681b8682c7c0a