Analysis
-
max time kernel
50s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 13:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe
-
Size
648KB
-
MD5
b7ec123ae0594510d03149cc1e4a7843
-
SHA1
909aec9168cdf35f241314791ef8559f88c9c672
-
SHA256
439986cced413f04733bd254fd9e49da3c687518b6562ee8ba13b1bfa21b3fd3
-
SHA512
ddfefcf1ae377ca174c684e2e99fc11f351929b44ca62b52271204132cf3e4411cdb537466e87310253eabb16e7a943285501eb967c2b9a7e68ce745fe64dffc
-
SSDEEP
12288:cpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsi5OLpdNrrd4Dh:cpUNr6YkVRFkgbeqeo68FhqzmXrrd0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bbygorkllli.exe -
Pykspa family
-
UAC bypass 3 TTPs 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00060000000234f9-4.dat family_pykspa behavioral1/files/0x000700000002411d-85.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "fxmgqmxvfzbhkymvu.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "mhzwjiwxkhmvbsjvxhid.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ypdwfakhqjkprerz.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ohxsdamlwrubfujttb.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oxdopcet = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhksq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bbygorkllli.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 41 2292 Process not Found 43 2292 Process not Found 48 2292 Process not Found -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtxgfq.exe Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtxgfq.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bbygorkllli.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation bxqoccrthflvcumzcnple.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ztkgsqddplpxcsitudd.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation fxmgqmxvfzbhkymvu.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ohxsdamlwrubfujttb.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation mhzwjiwxkhmvbsjvxhid.exe Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation ypdwfakhqjkprerz.exe -
Executes dropped EXE 64 IoCs
pid Process 5328 bbygorkllli.exe 3984 ohxsdamlwrubfujttb.exe 3636 ohxsdamlwrubfujttb.exe 1068 bbygorkllli.exe 3028 ztkgsqddplpxcsitudd.exe 1048 fxmgqmxvfzbhkymvu.exe 1768 ztkgsqddplpxcsitudd.exe 1000 bbygorkllli.exe 4068 bxqoccrthflvcumzcnple.exe 3616 bbygorkllli.exe 5588 ztkgsqddplpxcsitudd.exe 2120 ypdwfakhqjkprerz.exe 3908 bbygorkllli.exe 5192 mtxgfq.exe 2376 mtxgfq.exe 1920 ypdwfakhqjkprerz.exe 4576 ohxsdamlwrubfujttb.exe 1616 ohxsdamlwrubfujttb.exe 4856 ztkgsqddplpxcsitudd.exe 2308 bbygorkllli.exe 3608 bbygorkllli.exe 760 ztkgsqddplpxcsitudd.exe 5444 mhzwjiwxkhmvbsjvxhid.exe 808 fxmgqmxvfzbhkymvu.exe 5412 bxqoccrthflvcumzcnple.exe 2948 bbygorkllli.exe 4400 bbygorkllli.exe 5340 fxmgqmxvfzbhkymvu.exe 2140 ztkgsqddplpxcsitudd.exe 648 ypdwfakhqjkprerz.exe 5996 ztkgsqddplpxcsitudd.exe 4784 mhzwjiwxkhmvbsjvxhid.exe 3028 bxqoccrthflvcumzcnple.exe 2420 bxqoccrthflvcumzcnple.exe 2416 ztkgsqddplpxcsitudd.exe 6068 bbygorkllli.exe 5748 bbygorkllli.exe 6124 bbygorkllli.exe 3032 bxqoccrthflvcumzcnple.exe 4792 fxmgqmxvfzbhkymvu.exe 4816 bbygorkllli.exe 2300 bbygorkllli.exe 5784 bxqoccrthflvcumzcnple.exe 1896 ohxsdamlwrubfujttb.exe 4972 ypdwfakhqjkprerz.exe 1780 bbygorkllli.exe 2364 ohxsdamlwrubfujttb.exe 4964 bbygorkllli.exe 3708 fxmgqmxvfzbhkymvu.exe 5760 ohxsdamlwrubfujttb.exe 2616 bbygorkllli.exe 5564 ztkgsqddplpxcsitudd.exe 4608 ypdwfakhqjkprerz.exe 4748 bbygorkllli.exe 996 bxqoccrthflvcumzcnple.exe 5444 ohxsdamlwrubfujttb.exe 4780 ohxsdamlwrubfujttb.exe 2392 ohxsdamlwrubfujttb.exe 884 bbygorkllli.exe 3164 ohxsdamlwrubfujttb.exe 4336 ypdwfakhqjkprerz.exe 5984 bxqoccrthflvcumzcnple.exe 392 ypdwfakhqjkprerz.exe 3736 bbygorkllli.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mtxgfq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mtxgfq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mtxgfq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mtxgfq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mtxgfq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mtxgfq.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "mhzwjiwxkhmvbsjvxhid.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "fxmgqmxvfzbhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ypdwfakhqjkprerz.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "fxmgqmxvfzbhkymvu.exe" mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ypdwfakhqjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "bxqoccrthflvcumzcnple.exe" mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "ypdwfakhqjkprerz.exe" mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ypdwfakhqjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ztkgsqddplpxcsitudd.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fxmgqmxvfzbhkymvu.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdnchyexcrop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohxsdamlwrubfujttb.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ypdwfakhqjkprerz.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "bxqoccrthflvcumzcnple.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "ztkgsqddplpxcsitudd.exe" bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." mtxgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztkgsqddplpxcsitudd.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtxgfq = "mhzwjiwxkhmvbsjvxhid.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "mhzwjiwxkhmvbsjvxhid.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypdwfakhqjkprerz.exe ." mtxgfq.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fpwikybrt = "bxqoccrthflvcumzcnple.exe" bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tfocgwbtxlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mhzwjiwxkhmvbsjvxhid.exe ." bbygorkllli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zhmwwij = "ohxsdamlwrubfujttb.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "fxmgqmxvfzbhkymvu.exe ." bbygorkllli.exe Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjrehwaruh = "ztkgsqddplpxcsitudd.exe ." mtxgfq.exe -
Checks whether UAC is enabled 1 TTPs 46 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bbygorkllli.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 www.showmyipaddress.com 19 whatismyipaddress.com 24 www.whatismyip.ca 50 whatismyip.everdot.org 52 www.whatismyip.ca 60 whatismyip.everdot.org 62 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File created C:\Windows\SysWOW64\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt mtxgfq.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe mtxgfq.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe mtxgfq.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\dfeicidlfjvlywunwnvxwau.vdx mtxgfq.exe File opened for modification C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe mtxgfq.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe mtxgfq.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe mtxgfq.exe File opened for modification C:\Windows\SysWOW64\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\SysWOW64\ztkgsqddplpxcsitudd.exe bbygorkllli.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx mtxgfq.exe File opened for modification C:\Program Files (x86)\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt mtxgfq.exe File created C:\Program Files (x86)\qdnchyexcropnwfjdfylvkpgmfkzwxvenr.ngt mtxgfq.exe File opened for modification C:\Program Files (x86)\dfeicidlfjvlywunwnvxwau.vdx mtxgfq.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe mtxgfq.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe mtxgfq.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe mtxgfq.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe mtxgfq.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File created C:\Windows\dfeicidlfjvlywunwnvxwau.vdx mtxgfq.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\ohxsdamlwrubfujttb.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe bbygorkllli.exe File opened for modification C:\Windows\spjixyorgfmxfyrfjvyvpo.exe mtxgfq.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\bxqoccrthflvcumzcnple.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe File opened for modification C:\Windows\ypdwfakhqjkprerz.exe bbygorkllli.exe File opened for modification C:\Windows\fxmgqmxvfzbhkymvu.exe bbygorkllli.exe File opened for modification C:\Windows\ztkgsqddplpxcsitudd.exe bbygorkllli.exe File opened for modification C:\Windows\mhzwjiwxkhmvbsjvxhid.exe bbygorkllli.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mtxgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mtxgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhzwjiwxkhmvbsjvxhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ypdwfakhqjkprerz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxmgqmxvfzbhkymvu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ztkgsqddplpxcsitudd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ohxsdamlwrubfujttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxqoccrthflvcumzcnple.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 2376 mtxgfq.exe 2376 mtxgfq.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 2376 mtxgfq.exe 2376 mtxgfq.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2376 mtxgfq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 408 wrote to memory of 5328 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 88 PID 408 wrote to memory of 5328 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 88 PID 408 wrote to memory of 5328 408 JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe 88 PID 4952 wrote to memory of 3984 4952 cmd.exe 91 PID 4952 wrote to memory of 3984 4952 cmd.exe 91 PID 4952 wrote to memory of 3984 4952 cmd.exe 91 PID 3472 wrote to memory of 3636 3472 cmd.exe 94 PID 3472 wrote to memory of 3636 3472 cmd.exe 94 PID 3472 wrote to memory of 3636 3472 cmd.exe 94 PID 3636 wrote to memory of 1068 3636 ohxsdamlwrubfujttb.exe 97 PID 3636 wrote to memory of 1068 3636 ohxsdamlwrubfujttb.exe 97 PID 3636 wrote to memory of 1068 3636 ohxsdamlwrubfujttb.exe 97 PID 4732 wrote to memory of 3028 4732 cmd.exe 99 PID 4732 wrote to memory of 3028 4732 cmd.exe 99 PID 4732 wrote to memory of 3028 4732 cmd.exe 99 PID 5944 wrote to memory of 1048 5944 cmd.exe 103 PID 5944 wrote to memory of 1048 5944 cmd.exe 103 PID 5944 wrote to memory of 1048 5944 cmd.exe 103 PID 5440 wrote to memory of 1768 5440 cmd.exe 106 PID 5440 wrote to memory of 1768 5440 cmd.exe 106 PID 5440 wrote to memory of 1768 5440 cmd.exe 106 PID 1048 wrote to memory of 1000 1048 fxmgqmxvfzbhkymvu.exe 107 PID 1048 wrote to memory of 1000 1048 fxmgqmxvfzbhkymvu.exe 107 PID 1048 wrote to memory of 1000 1048 fxmgqmxvfzbhkymvu.exe 107 PID 2232 wrote to memory of 4068 2232 cmd.exe 108 PID 2232 wrote to memory of 4068 2232 cmd.exe 108 PID 2232 wrote to memory of 4068 2232 cmd.exe 108 PID 4068 wrote to memory of 3616 4068 bxqoccrthflvcumzcnple.exe 182 PID 4068 wrote to memory of 3616 4068 bxqoccrthflvcumzcnple.exe 182 PID 4068 wrote to memory of 3616 4068 bxqoccrthflvcumzcnple.exe 182 PID 2260 wrote to memory of 5588 2260 cmd.exe 114 PID 2260 wrote to memory of 5588 2260 cmd.exe 114 PID 2260 wrote to memory of 5588 2260 cmd.exe 114 PID 1472 wrote to memory of 2120 1472 cmd.exe 115 PID 1472 wrote to memory of 2120 1472 cmd.exe 115 PID 1472 wrote to memory of 2120 1472 cmd.exe 115 PID 2120 wrote to memory of 3908 2120 ypdwfakhqjkprerz.exe 116 PID 2120 wrote to memory of 3908 2120 ypdwfakhqjkprerz.exe 116 PID 2120 wrote to memory of 3908 2120 ypdwfakhqjkprerz.exe 116 PID 5328 wrote to memory of 5192 5328 bbygorkllli.exe 117 PID 5328 wrote to memory of 5192 5328 bbygorkllli.exe 117 PID 5328 wrote to memory of 5192 5328 bbygorkllli.exe 117 PID 5328 wrote to memory of 2376 5328 bbygorkllli.exe 118 PID 5328 wrote to memory of 2376 5328 bbygorkllli.exe 118 PID 5328 wrote to memory of 2376 5328 bbygorkllli.exe 118 PID 5024 wrote to memory of 1920 5024 cmd.exe 204 PID 5024 wrote to memory of 1920 5024 cmd.exe 204 PID 5024 wrote to memory of 1920 5024 cmd.exe 204 PID 5108 wrote to memory of 4576 5108 cmd.exe 124 PID 5108 wrote to memory of 4576 5108 cmd.exe 124 PID 5108 wrote to memory of 4576 5108 cmd.exe 124 PID 4176 wrote to memory of 1616 4176 cmd.exe 129 PID 4176 wrote to memory of 1616 4176 cmd.exe 129 PID 4176 wrote to memory of 1616 4176 cmd.exe 129 PID 5636 wrote to memory of 4856 5636 cmd.exe 130 PID 5636 wrote to memory of 4856 5636 cmd.exe 130 PID 5636 wrote to memory of 4856 5636 cmd.exe 130 PID 1616 wrote to memory of 2308 1616 ohxsdamlwrubfujttb.exe 213 PID 1616 wrote to memory of 2308 1616 ohxsdamlwrubfujttb.exe 213 PID 1616 wrote to memory of 2308 1616 ohxsdamlwrubfujttb.exe 213 PID 4856 wrote to memory of 3608 4856 ztkgsqddplpxcsitudd.exe 136 PID 4856 wrote to memory of 3608 4856 ztkgsqddplpxcsitudd.exe 136 PID 4856 wrote to memory of 3608 4856 ztkgsqddplpxcsitudd.exe 136 PID 1132 wrote to memory of 760 1132 cmd.exe 141 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mtxgfq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bbygorkllli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mtxgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bbygorkllli.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ec123ae0594510d03149cc1e4a7843.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b7ec123ae0594510d03149cc1e4a7843.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe"C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe" "-C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:5192
-
-
C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe"C:\Users\Admin\AppData\Local\Temp\mtxgfq.exe" "-C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵
- Executes dropped EXE
PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵
- Executes dropped EXE
PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5944 -
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵
- Executes dropped EXE
PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Executes dropped EXE
PID:3616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵
- Executes dropped EXE
PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵
- Executes dropped EXE
PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵
- Executes dropped EXE
PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵
- Executes dropped EXE
PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:64
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4844
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:60
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵
- Executes dropped EXE
PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵
- Executes dropped EXE
PID:648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵
- Executes dropped EXE
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵
- Executes dropped EXE
PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵
- Executes dropped EXE
PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Executes dropped EXE
PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Executes dropped EXE
PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:3048
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:5060
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵
- Executes dropped EXE
PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3616
-
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵
- Executes dropped EXE
PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:1452
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵
- Executes dropped EXE
PID:1780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵
- Executes dropped EXE
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵
- Executes dropped EXE
PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1920
-
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵
- Executes dropped EXE
PID:5564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:2088
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵
- Executes dropped EXE
PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:2348
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵
- Executes dropped EXE
PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:2308
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵
- Executes dropped EXE
PID:884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:1956
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5280
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵
- Executes dropped EXE
PID:4780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵
- Executes dropped EXE
PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Executes dropped EXE
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:2952
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵
- Executes dropped EXE
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵
- Executes dropped EXE
PID:3736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:4516
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:6100
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:1332
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3972
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3520
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:5956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:2888
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:1472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:3364
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:4840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5068
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5268
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:2692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:884
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:4856
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5144
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5548
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:2180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:1048
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5500
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:1592
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:5588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:4788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1064
-
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:5980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:4612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:1668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:5944 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:3328
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:5600
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5964
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:5216
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:5564 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1992
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:2960
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
PID:876 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4916
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:3448
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:5340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:1440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:5736
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:5748
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2624
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:5224
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:5236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:1340
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:1000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:2532
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:1884
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:2836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:3592
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:5880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:1652
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4000
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:2756
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:544
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:4884
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3908
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:1992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4840
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:8
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:6096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:2848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:64
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:2144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:2968
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5588
-
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4216
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:2232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4788
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:428 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- Checks computer location settings
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:3136
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:3624
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:3088
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:1440
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5992
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:4212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5860
-
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:996
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:1556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4636
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:2960
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:3224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3424
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4508
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:1056
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:3628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:3008
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:3244
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:6036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5128
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:5108
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:4424
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:2440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:1400
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:2900
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:4316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:1256
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:1656
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:1448
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:5312
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:3672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:3616
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:5400
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:5368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:428
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:5168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:2964
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:2300
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:5900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:1540
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:5256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:840
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3092
-
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:4416
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:5516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
PID:5388 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4268
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:3388
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4092
-
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:396 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3036
-
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:5956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:5332
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:5996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1092
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1648
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:2356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5248
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4892
-
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:2532
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵
- Checks computer location settings
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1420
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3736
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:5896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:5236
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:3668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:5228
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5204 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:4744
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5076
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:1172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4456
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:5244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:3224
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵
- Checks computer location settings
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- Checks computer location settings
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:3972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:5368
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4404
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:4368
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:6028
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:2520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:1468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5080
-
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:1256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2492
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:876
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:3556
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1328
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:6032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:2056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:2276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5504
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:2420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1300
-
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5140
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:2364
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:2676
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5600
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:6036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2964
-
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:3240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5460
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:3624
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:4448
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:6016
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:4320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5880
-
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:5160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:5740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:5312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:3992
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:5056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3976
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:5228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3084
-
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:2508
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:4772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:4972
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:208
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4792
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:6108
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:4244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:3244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:1952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5268
-
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:1408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:676
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:5860
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:2396
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:2844
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:5004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:4772
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:5588
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:4620
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4192
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:5468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:4600
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:2232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:956
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5188
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:5876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4724
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:3056
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:2292
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:5296
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:5340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:5860
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:2308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:1132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4072
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:6100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2448
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4952
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4960
-
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:5228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:1452
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:1192
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:1592
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:5124
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:4192
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:4104
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:2520
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:5560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1848
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:3704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6072
-
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exeC:\Users\Admin\AppData\Local\Temp\bxqoccrthflvcumzcnple.exe .2⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\bxqoccrthflvcumzcnple.exe*."3⤵PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:4212
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:4352
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2856
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:5524
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:5560
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:4480
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:5144
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:1972
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:6068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:3708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:6088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:3092
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:2388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:3056
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:5224
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:3244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:3380
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe .2⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ztkgsqddplpxcsitudd.exe*."3⤵PID:2708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:4292
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:1592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe .1⤵PID:5528
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe .2⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\fxmgqmxvfzbhkymvu.exe*."3⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:5264
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe2⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:3284
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exeC:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe2⤵PID:6064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:5420
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe .1⤵PID:4428
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe .2⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ypdwfakhqjkprerz.exe*."3⤵PID:5188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:552
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:2284
-
C:\Windows\mhzwjiwxkhmvbsjvxhid.exemhzwjiwxkhmvbsjvxhid.exe .2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exeC:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe .2⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ypdwfakhqjkprerz.exe*."3⤵PID:4232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exeC:\Users\Admin\AppData\Local\Temp\ohxsdamlwrubfujttb.exe .2⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\ohxsdamlwrubfujttb.exe*."3⤵PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:2556
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:2956
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\bxqoccrthflvcumzcnple.exe*."3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe1⤵PID:4804
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe2⤵PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5312
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ohxsdamlwrubfujttb.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\fxmgqmxvfzbhkymvu.exe*."3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exeC:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .2⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\users\admin\appdata\local\temp\mhzwjiwxkhmvbsjvxhid.exe*."3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:4748
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fxmgqmxvfzbhkymvu.exe1⤵PID:4544
-
C:\Windows\fxmgqmxvfzbhkymvu.exefxmgqmxvfzbhkymvu.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:3224
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe .1⤵PID:4068
-
C:\Windows\ztkgsqddplpxcsitudd.exeztkgsqddplpxcsitudd.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe"C:\Users\Admin\AppData\Local\Temp\bbygorkllli.exe" "c:\windows\ztkgsqddplpxcsitudd.exe*."3⤵PID:836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ypdwfakhqjkprerz.exe1⤵PID:6092
-
C:\Windows\ypdwfakhqjkprerz.exeypdwfakhqjkprerz.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:2436
-
C:\Windows\ohxsdamlwrubfujttb.exeohxsdamlwrubfujttb.exe .2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bxqoccrthflvcumzcnple.exe .1⤵PID:5960
-
C:\Windows\bxqoccrthflvcumzcnple.exebxqoccrthflvcumzcnple.exe .2⤵PID:1152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe1⤵PID:5528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ztkgsqddplpxcsitudd.exe1⤵PID:5632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe1⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exeC:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fxmgqmxvfzbhkymvu.exe .1⤵PID:1636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mhzwjiwxkhmvbsjvxhid.exe .1⤵PID:5176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe .1⤵PID:5464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztkgsqddplpxcsitudd.exe1⤵PID:5764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ohxsdamlwrubfujttb.exe1⤵PID:4092
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypdwfakhqjkprerz.exe1⤵PID:2140
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD50babbbab5adae3b855fcff1eb6727295
SHA114d68139fc83cf88d8759f1b5cd8922d81395da3
SHA2564fc7354dc454403cb64ef82733be9960b401bac363bbcd33b986bb9c69a64b74
SHA51224bb3d0729e8c4e18918072a5fca8310f23117340e029ce932898eddae3810730bbf4ba0e33b8bf06450edabe99c6e3454e076615a2ccd9a009430f7f52fecaa
-
Filesize
280B
MD521cd8952ba6fabfdb193263f361ebe9d
SHA16e251c2f24c3beae37c9d9b906a0ede0126f4993
SHA25682b0c72a3dc6f2e2442f70eaaa2c4a220a10e20c3ec44515d0d519dd14af9143
SHA5129fab80d11d83c852de3785ad2fb50f72f25c993f6e4f403a128ac4d0abfb8e82e7eaf69740aa8926863834d27f8b89e057a6c25d36595468e446f66c3e2d870f
-
Filesize
280B
MD5c43f4beca267a1ab95ed350e303ea747
SHA1fcf912bec9007ca1b82cad93cba91a5f70f8d7c3
SHA25639a2d19bbc6bb42f2d8ea74c8fe7bbdb9ec2a257806b8345849210073f6cfcc5
SHA512398a3a96deaf52294aa91caa72273abb3edb07e2b300299adc709763a3b6f34c7e2e61c4d28e0b66f8f1303955a48453fff70c22e4f211408c12c2259d6f15a5
-
Filesize
280B
MD5f572b9e2a0a8e8da01fff536dcac44f8
SHA166ddcfb31a8cf80e97cbdc9789dece2ba9148e26
SHA256301617102da253d293791c5212de66f845c53f1721a64aa3aba149aa39924b30
SHA512f9a1032378cf887c977e6026bf981a6b7504c6e225f9da8dfb3e978e47a4bd4f3ae16569a558f98a0af5f526d707ed986bcbbb1553e18e257ecb7180cc317149
-
Filesize
320KB
MD53e3c01087c73fb92b9e7894ea2df4f46
SHA116bec38d3cf73359a2b437fdbd10bbe5c0558a6b
SHA25642ca9867c6392defa5982df52b51a6d1479db6dc71605ef64b9884840107ccfc
SHA5126d1fc6d68d9fe41c72f2eee047d71f4d2030482806d45b08d0d59b4c5d6a40f4dcb862e525ef7d1b6c509f2a58c5bcf131842e966f52dfe88101112c9bda365c
-
Filesize
724KB
MD57c256dde8cc0e5134f3b5bba6fb5b8c4
SHA1f96cd5f21d61596a3068bc832334c5a11ef6efcf
SHA25689f54758d7803f225f928f5b3e764a9ff617c6b560274e6ac52888d3dc825084
SHA51217ac97e9907a657cae9c723500ed62393f86a6827216b25f21ea2597ceb16b3e41a9bb4534bb6b2c503ce6ea09141cb750621ed5fa8a9816c3eb1c4985c20410
-
Filesize
280B
MD516c2ed69c2888e4459b29ffe93a5460e
SHA1855db10b649e778fcecc2de161a63d5168ea5f8d
SHA2568415bd9df93622a8b741353cc268b24c8cdfe354b42aa6c74792094cd4257b7b
SHA5122723c3bff7314195c4a541d990da6959013b466a2c85e343ba2844dff783ce81a5940fd1a4b77f2432329fe42f2161ded576f43291b917e623b80597eddf87cb
-
Filesize
4KB
MD5e6f7b0ed1419e209e66dab423d9fd94a
SHA131b7ad0591a703582840f80adf4a9194c34a11c7
SHA2567faabf13ac13d402feba4048b09d45d4116112f22ac74859ac1ce9f99020ee5b
SHA512a8a9ddcdc570f20825c2c06ab276658f4b40a462807ee264ff8f7696bfb85006715e41ff5774a5fca00929e779410096f2eb150e998ce822da2acd9a28f49a6f
-
Filesize
648KB
MD5b7ec123ae0594510d03149cc1e4a7843
SHA1909aec9168cdf35f241314791ef8559f88c9c672
SHA256439986cced413f04733bd254fd9e49da3c687518b6562ee8ba13b1bfa21b3fd3
SHA512ddfefcf1ae377ca174c684e2e99fc11f351929b44ca62b52271204132cf3e4411cdb537466e87310253eabb16e7a943285501eb967c2b9a7e68ce745fe64dffc