Analysis
-
max time kernel
42s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
14/04/2025, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe
Resource
win10v2004-20250410-en
General
-
Target
JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe
-
Size
556KB
-
MD5
b838d06aa2f9970dfda79463310cf899
-
SHA1
7cb1355674415ed0f529a2917ab16e7c69dfaca2
-
SHA256
858805f6ee17321afae6ca22e35791ac8e1391dfe77317d0c0681f4f43c08aa3
-
SHA512
9ebe4450eb441af897555d3a59d723b8accf24fc1409948841d3adf238f88151ef06982db2befd7dc8bc153d35189a2c71941a02ccb9631c4c27932e84a6389d
-
SSDEEP
6144:gj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:S6onxOp8FySpE5zvIdtU+Ymef
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tijxeik.exe -
Pykspa family
-
UAC bypass 3 TTPs 29 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x001900000002404c-4.dat family_pykspa behavioral1/files/0x000200000001e732-85.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "zyjhymyrncoexdsrs.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "iiutlanheuhyszpprc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\clubpwipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctkzvketmytfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "zyjhymyrncoexdsrs.exe" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "iiutlanheuhyszpprc.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzlvmwlvjqgn = "wpizxokbwkhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "giwxrixtskzsoxprviky.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tijxeik = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skofpwbnck = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 42 4136 sihclient.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation zyjhymyrncoexdsrs.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vynpkcsppiyspzsvaorgi.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation sqaxnaldymxmejxv.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation giwxrixtskzsoxprviky.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation iiutlanheuhyszpprc.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tuhhaqezxocupxopsef.exe -
Executes dropped EXE 64 IoCs
pid Process 4412 tzjwwfytdjt.exe 2000 zyjhymyrncoexdsrs.exe 3572 zyjhymyrncoexdsrs.exe 2512 tzjwwfytdjt.exe 3164 sqaxnaldymxmejxv.exe 4988 iiutlanheuhyszpprc.exe 4796 sqaxnaldymxmejxv.exe 1040 tzjwwfytdjt.exe 2396 zyjhymyrncoexdsrs.exe 1088 tzjwwfytdjt.exe 3504 vynpkcsppiyspzsvaorgi.exe 1800 tuhhaqezxocupxopsef.exe 456 tzjwwfytdjt.exe 1196 tijxeik.exe 2464 tijxeik.exe 4924 giwxrixtskzsoxprviky.exe 4716 vynpkcsppiyspzsvaorgi.exe 5000 vynpkcsppiyspzsvaorgi.exe 3392 giwxrixtskzsoxprviky.exe 4380 tzjwwfytdjt.exe 3508 tzjwwfytdjt.exe 4900 iiutlanheuhyszpprc.exe 2580 vynpkcsppiyspzsvaorgi.exe 4820 sqaxnaldymxmejxv.exe 4760 giwxrixtskzsoxprviky.exe 828 vynpkcsppiyspzsvaorgi.exe 3076 vynpkcsppiyspzsvaorgi.exe 2940 sqaxnaldymxmejxv.exe 4188 tzjwwfytdjt.exe 824 tzjwwfytdjt.exe 3180 tzjwwfytdjt.exe 3876 vynpkcsppiyspzsvaorgi.exe 2652 zyjhymyrncoexdsrs.exe 640 tzjwwfytdjt.exe 3416 iiutlanheuhyszpprc.exe 2040 iiutlanheuhyszpprc.exe 2944 tuhhaqezxocupxopsef.exe 4536 tzjwwfytdjt.exe 2012 tzjwwfytdjt.exe 3508 vynpkcsppiyspzsvaorgi.exe 1768 sqaxnaldymxmejxv.exe 3244 tzjwwfytdjt.exe 4524 vynpkcsppiyspzsvaorgi.exe 4764 giwxrixtskzsoxprviky.exe 1412 giwxrixtskzsoxprviky.exe 3840 tzjwwfytdjt.exe 2916 tuhhaqezxocupxopsef.exe 2844 tzjwwfytdjt.exe 5080 zyjhymyrncoexdsrs.exe 2708 vynpkcsppiyspzsvaorgi.exe 4484 tzjwwfytdjt.exe 1752 zyjhymyrncoexdsrs.exe 3596 vynpkcsppiyspzsvaorgi.exe 1420 giwxrixtskzsoxprviky.exe 4628 giwxrixtskzsoxprviky.exe 4128 tzjwwfytdjt.exe 4168 vynpkcsppiyspzsvaorgi.exe 3924 sqaxnaldymxmejxv.exe 2360 vynpkcsppiyspzsvaorgi.exe 4848 zyjhymyrncoexdsrs.exe 4984 vynpkcsppiyspzsvaorgi.exe 2400 tzjwwfytdjt.exe 1988 zyjhymyrncoexdsrs.exe 1004 tzjwwfytdjt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc tijxeik.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager tijxeik.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys tijxeik.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc tijxeik.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power tijxeik.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys tijxeik.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mzmxpaqbqypxj = "ctkzvketmytfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nbpbugxjziajwm = "vlbpkyrfxicncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyjhymyrncoexdsrs.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "sqaxnaldymxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "zyjhymyrncoexdsrs.exe" tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "vynpkcsppiyspzsvaorgi.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "giwxrixtskzsoxprviky.exe ." tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "sqaxnaldymxmejxv.exe ." tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vynpkcsppiyspzsvaorgi.exe ." tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "giwxrixtskzsoxprviky.exe ." tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "vynpkcsppiyspzsvaorgi.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "tuhhaqezxocupxopsef.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "zyjhymyrncoexdsrs.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe ." tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "zyjhymyrncoexdsrs.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "iiutlanheuhyszpprc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "zyjhymyrncoexdsrs.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "zyjhymyrncoexdsrs.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqaxnaldymxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "iiutlanheuhyszpprc.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kekdpyftkubm = "giwxrixtskzsoxprviky.exe ." tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iiutlanheuhyszpprc.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "zyjhymyrncoexdsrs.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe ." tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqtjsycnb = "sqaxnaldymxmejxv.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlbpkyrfxicncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdxpogdvrgetmirjlpfz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "iiutlanheuhyszpprc.exe" tijxeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgojxirhamviyb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tijxeik.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iyapxcfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giwxrixtskzsoxprviky.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jelfsckzrckwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tuhhaqezxocupxopsef.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngldowcpfou = "vynpkcsppiyspzsvaorgi.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vfpxmuhpbg = "ctkzvketmytfvouji.exe" tzjwwfytdjt.exe -
Checks whether UAC is enabled 1 TTPs 40 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tijxeik.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tijxeik.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 whatismyip.everdot.org 43 www.whatismyip.ca 19 whatismyip.everdot.org 23 www.whatismyip.ca 26 whatismyipaddress.com 30 whatismyip.everdot.org 32 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vynpkcsppiyspzsvaorgi.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\vihtyaahruuyfzcpecpoafhhoyb.fmg tijxeik.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tijxeik.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File created C:\Windows\SysWOW64\sqaxnaldymxmejxvvecmjzmxpkyjyqvjhhqoyv.yjb tijxeik.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vihtyaahruuyfzcpecpoafhhoyb.fmg tijxeik.exe File created C:\Program Files (x86)\vihtyaahruuyfzcpecpoafhhoyb.fmg tijxeik.exe File opened for modification C:\Program Files (x86)\sqaxnaldymxmejxvvecmjzmxpkyjyqvjhhqoyv.yjb tijxeik.exe File created C:\Program Files (x86)\sqaxnaldymxmejxvvecmjzmxpkyjyqvjhhqoyv.yjb tijxeik.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tijxeik.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tijxeik.exe File created C:\Windows\sqaxnaldymxmejxvvecmjzmxpkyjyqvjhhqoyv.yjb tijxeik.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tijxeik.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tijxeik.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tijxeik.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tijxeik.exe File opened for modification C:\Windows\vihtyaahruuyfzcpecpoafhhoyb.fmg tijxeik.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\mqgjfypnoizusdxbhwaqtp.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\sqaxnaldymxmejxv.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tzjwwfytdjt.exe File opened for modification C:\Windows\zyjhymyrncoexdsrs.exe tzjwwfytdjt.exe File opened for modification C:\Windows\iiutlanheuhyszpprc.exe tijxeik.exe File opened for modification C:\Windows\vynpkcsppiyspzsvaorgi.exe tijxeik.exe File opened for modification C:\Windows\giwxrixtskzsoxprviky.exe tzjwwfytdjt.exe File opened for modification C:\Windows\tuhhaqezxocupxopsef.exe tzjwwfytdjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqaxnaldymxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tijxeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqaxnaldymxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqaxnaldymxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tzjwwfytdjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqaxnaldymxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tijxeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytohhayroedtnkunqvmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sqaxnaldymxmejxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zyjhymyrncoexdsrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuhhaqezxocupxopsef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwxrixtskzsoxprviky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiutlanheuhyszpprc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vynpkcsppiyspzsvaorgi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2464 tijxeik.exe 2464 tijxeik.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2464 tijxeik.exe 2464 tijxeik.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2464 tijxeik.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 4412 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 88 PID 2532 wrote to memory of 4412 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 88 PID 2532 wrote to memory of 4412 2532 JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe 88 PID 4168 wrote to memory of 2000 4168 cmd.exe 91 PID 4168 wrote to memory of 2000 4168 cmd.exe 91 PID 4168 wrote to memory of 2000 4168 cmd.exe 91 PID 1108 wrote to memory of 3572 1108 cmd.exe 94 PID 1108 wrote to memory of 3572 1108 cmd.exe 94 PID 1108 wrote to memory of 3572 1108 cmd.exe 94 PID 3572 wrote to memory of 2512 3572 zyjhymyrncoexdsrs.exe 97 PID 3572 wrote to memory of 2512 3572 zyjhymyrncoexdsrs.exe 97 PID 3572 wrote to memory of 2512 3572 zyjhymyrncoexdsrs.exe 97 PID 2252 wrote to memory of 3164 2252 cmd.exe 100 PID 2252 wrote to memory of 3164 2252 cmd.exe 100 PID 2252 wrote to memory of 3164 2252 cmd.exe 100 PID 3596 wrote to memory of 4988 3596 cmd.exe 103 PID 3596 wrote to memory of 4988 3596 cmd.exe 103 PID 3596 wrote to memory of 4988 3596 cmd.exe 103 PID 4528 wrote to memory of 4796 4528 cmd.exe 106 PID 4528 wrote to memory of 4796 4528 cmd.exe 106 PID 4528 wrote to memory of 4796 4528 cmd.exe 106 PID 4988 wrote to memory of 1040 4988 iiutlanheuhyszpprc.exe 107 PID 4988 wrote to memory of 1040 4988 iiutlanheuhyszpprc.exe 107 PID 4988 wrote to memory of 1040 4988 iiutlanheuhyszpprc.exe 107 PID 1376 wrote to memory of 2396 1376 cmd.exe 108 PID 1376 wrote to memory of 2396 1376 cmd.exe 108 PID 1376 wrote to memory of 2396 1376 cmd.exe 108 PID 2396 wrote to memory of 1088 2396 zyjhymyrncoexdsrs.exe 113 PID 2396 wrote to memory of 1088 2396 zyjhymyrncoexdsrs.exe 113 PID 2396 wrote to memory of 1088 2396 zyjhymyrncoexdsrs.exe 113 PID 2224 wrote to memory of 3504 2224 cmd.exe 114 PID 2224 wrote to memory of 3504 2224 cmd.exe 114 PID 2224 wrote to memory of 3504 2224 cmd.exe 114 PID 1872 wrote to memory of 1800 1872 cmd.exe 115 PID 1872 wrote to memory of 1800 1872 cmd.exe 115 PID 1872 wrote to memory of 1800 1872 cmd.exe 115 PID 1800 wrote to memory of 456 1800 tuhhaqezxocupxopsef.exe 116 PID 1800 wrote to memory of 456 1800 tuhhaqezxocupxopsef.exe 116 PID 1800 wrote to memory of 456 1800 tuhhaqezxocupxopsef.exe 116 PID 4412 wrote to memory of 1196 4412 tzjwwfytdjt.exe 117 PID 4412 wrote to memory of 1196 4412 tzjwwfytdjt.exe 117 PID 4412 wrote to memory of 1196 4412 tzjwwfytdjt.exe 117 PID 4412 wrote to memory of 2464 4412 tzjwwfytdjt.exe 118 PID 4412 wrote to memory of 2464 4412 tzjwwfytdjt.exe 118 PID 4412 wrote to memory of 2464 4412 tzjwwfytdjt.exe 118 PID 2956 wrote to memory of 4716 2956 cmd.exe 126 PID 2956 wrote to memory of 4716 2956 cmd.exe 126 PID 2956 wrote to memory of 4716 2956 cmd.exe 126 PID 640 wrote to memory of 4924 640 cmd.exe 125 PID 640 wrote to memory of 4924 640 cmd.exe 125 PID 640 wrote to memory of 4924 640 cmd.exe 125 PID 3176 wrote to memory of 5000 3176 cmd.exe 131 PID 3176 wrote to memory of 5000 3176 cmd.exe 131 PID 3176 wrote to memory of 5000 3176 cmd.exe 131 PID 2664 wrote to memory of 3392 2664 cmd.exe 132 PID 2664 wrote to memory of 3392 2664 cmd.exe 132 PID 2664 wrote to memory of 3392 2664 cmd.exe 132 PID 3392 wrote to memory of 4380 3392 giwxrixtskzsoxprviky.exe 331 PID 3392 wrote to memory of 4380 3392 giwxrixtskzsoxprviky.exe 331 PID 3392 wrote to memory of 4380 3392 giwxrixtskzsoxprviky.exe 331 PID 5000 wrote to memory of 3508 5000 vynpkcsppiyspzsvaorgi.exe 179 PID 5000 wrote to memory of 3508 5000 vynpkcsppiyspzsvaorgi.exe 179 PID 5000 wrote to memory of 3508 5000 vynpkcsppiyspzsvaorgi.exe 179 PID 1044 wrote to memory of 4900 1044 cmd.exe 149 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tijxeik.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tijxeik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b838d06aa2f9970dfda79463310cf899.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b838d06aa2f9970dfda79463310cf899.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\tijxeik.exe"C:\Users\Admin\AppData\Local\Temp\tijxeik.exe" "-C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\tijxeik.exe"C:\Users\Admin\AppData\Local\Temp\tijxeik.exe" "-C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵
- Executes dropped EXE
PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵
- Executes dropped EXE
PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵
- Executes dropped EXE
PID:1088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵
- Executes dropped EXE
PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵
- Executes dropped EXE
PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Executes dropped EXE
PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3920
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵
- Executes dropped EXE
PID:4900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:2928
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵
- Executes dropped EXE
PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:2404
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵
- Executes dropped EXE
PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Executes dropped EXE
PID:828 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Executes dropped EXE
PID:824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Executes dropped EXE
PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵
- Executes dropped EXE
PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵
- Executes dropped EXE
PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3780
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:4248
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Executes dropped EXE
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵
- Executes dropped EXE
PID:3244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3204
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:3380
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵
- Executes dropped EXE
PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵
- Executes dropped EXE
PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:3064
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:3676
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Executes dropped EXE
PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:1688
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵
- Executes dropped EXE
PID:1420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:4576
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵
- Executes dropped EXE
PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4380
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵
- Executes dropped EXE
PID:4168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:2920
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Executes dropped EXE
PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:4952
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:4176
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Executes dropped EXE
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵
- Executes dropped EXE
PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:4136
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵
- Executes dropped EXE
PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:3884
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:3404
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:1796
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:4396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4188
-
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:2244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:1500
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:548
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:1336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:1056
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:3776
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:1320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:4624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:2396
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:1972
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:4536
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:2580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:4668
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:3504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System policy modification
PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4764
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2276
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:4104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3460
-
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:4856
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:3096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:4932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:2396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4964
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2040
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1580
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:1620
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:2512
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:1928
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:900
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:2296
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:3876
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4720
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4912
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:1336
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:2160
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:3220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:1372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:2000
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:3524
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:4984
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1728
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3920
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:1404
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:2912
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4780
-
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:3600
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:644
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:2408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:4252
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:4892
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:4432
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:4532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1944
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:4168
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:3780
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:2724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:2396
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:3392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2404
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv GZrhVJxNwkmIOcZqG5AQqA.0.11⤵
- Blocklisted process makes network request
PID:4136
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:2256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:456
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:64
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:3848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:2916
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:1808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:800
-
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:2984
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1796
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:2380
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:824
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:1372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:1876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:2784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:2252
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:2384
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:4392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2260
-
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:1928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:1596
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:556 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:64 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:4868
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:4036
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:60
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4800
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:2940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:3876
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:1136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:2944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:1324
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:4248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4844
-
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:4728
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2768
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:3608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:4344
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:3204
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:1580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:2724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4088
-
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:800
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3340
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3220
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1040
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:692
-
-
C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe"C:\Users\Admin\AppData\Local\Temp\wdkpbgq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe"4⤵PID:4436
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:2252
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:4388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:3636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4532
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:1492
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:3048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:2620
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵
- Checks computer location settings
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe1⤵PID:2580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5072
-
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:740
-
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe1⤵PID:1164
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe .1⤵PID:2012
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe .2⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vlbpkyrfxicncuzn.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:4536
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .2⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vlbpkyrfxicncuzn.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2316
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:1688
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:60
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2792
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:3876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .1⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .2⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ldvliytjdqmzqkrhhj.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:5000
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:1104
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5092
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:2972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:1800
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:3508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe1⤵PID:4820
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe .1⤵PID:4964
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe .2⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ctkzvketmytfvouji.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe1⤵PID:4684
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe2⤵PID:3348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:556
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:3196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:1484
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1236
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe .2⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ytohhayroedtnkunqvmhc.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:1104
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:3124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1512
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe1⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exeC:\Users\Admin\AppData\Local\Temp\ytohhayroedtnkunqvmhc.exe2⤵PID:692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:2944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exe .1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exeC:\Users\Admin\AppData\Local\Temp\ctkzvketmytfvouji.exe .2⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ctkzvketmytfvouji.exe*."3⤵PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:2324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:5008
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4452
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:3608
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:4360
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:2732
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:3180
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:2944
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:2384
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:1840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:3220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:3460
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:1584
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:1320
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1256
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:400
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:2000
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:3972
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2640
-
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:1972
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4380
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:2384
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4644
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:2124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:4796
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:3924
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:3064
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:1056
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1876
-
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:3392
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:4136
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:4328
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:3288
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:3268
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:2876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1372
-
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:756
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ldvliytjdqmzqkrhhj.exe1⤵PID:900
-
C:\Windows\ldvliytjdqmzqkrhhj.exeldvliytjdqmzqkrhhj.exe2⤵PID:1060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:440
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe1⤵PID:2096
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:4360
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe1⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe2⤵PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe .2⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:3864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .1⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\ldvliytjdqmzqkrhhj.exe*."3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exeC:\Users\Admin\AppData\Local\Temp\jdxpogdvrgetmirjlpfz.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .2⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wpizxokbwkhvniqhila.exe*."3⤵PID:3304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe1⤵PID:1508
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe2⤵PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:64
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4700
-
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:2912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:680
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:4484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4952
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:2788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:3152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:1392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:4744
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:2672
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:4088
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:1524
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:2964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:4916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:1596
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:1796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2972
-
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:4436
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:2664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:3476
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:2360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exeC:\Users\Admin\AppData\Local\Temp\vynpkcsppiyspzsvaorgi.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:4792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:3140
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:3304
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:4340
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:1580
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe1⤵PID:3636
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe2⤵PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:1320
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe .1⤵PID:1336
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe .2⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\giwxrixtskzsoxprviky.exe*."3⤵PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:1344
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2512
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:3640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:2444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe .1⤵PID:4500
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe .2⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vynpkcsppiyspzsvaorgi.exe*."3⤵PID:448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:3524
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:5032
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:4268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe2⤵PID:4248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exeC:\Users\Admin\AppData\Local\Temp\tuhhaqezxocupxopsef.exe .2⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\tuhhaqezxocupxopsef.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:3380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:5040
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sqaxnaldymxmejxv.exe .1⤵PID:2784
-
C:\Windows\sqaxnaldymxmejxv.exesqaxnaldymxmejxv.exe .2⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\sqaxnaldymxmejxv.exe*."3⤵PID:3492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vynpkcsppiyspzsvaorgi.exe1⤵PID:4236
-
C:\Windows\vynpkcsppiyspzsvaorgi.exevynpkcsppiyspzsvaorgi.exe2⤵PID:3168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:4660
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe .2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\iiutlanheuhyszpprc.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\giwxrixtskzsoxprviky.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe1⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4944
-
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe2⤵PID:2264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:4988
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\zyjhymyrncoexdsrs.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe1⤵PID:4360
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe2⤵PID:4816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tuhhaqezxocupxopsef.exe .1⤵PID:680
-
C:\Windows\tuhhaqezxocupxopsef.exetuhhaqezxocupxopsef.exe .2⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\tuhhaqezxocupxopsef.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exeC:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .2⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\zyjhymyrncoexdsrs.exe*."3⤵PID:2276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exeC:\Users\Admin\AppData\Local\Temp\giwxrixtskzsoxprviky.exe2⤵PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exeC:\Users\Admin\AppData\Local\Temp\sqaxnaldymxmejxv.exe .2⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\sqaxnaldymxmejxv.exe*."3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe1⤵PID:4716
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ctkzvketmytfvouji.exe .1⤵PID:2652
-
C:\Windows\ctkzvketmytfvouji.exectkzvketmytfvouji.exe .2⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ctkzvketmytfvouji.exe*."3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vlbpkyrfxicncuzn.exe1⤵PID:4904
-
C:\Windows\vlbpkyrfxicncuzn.exevlbpkyrfxicncuzn.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:3908
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ytohhayroedtnkunqvmhc.exe .1⤵PID:3876
-
C:\Windows\ytohhayroedtnkunqvmhc.exeytohhayroedtnkunqvmhc.exe .2⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\ytohhayroedtnkunqvmhc.exe*."3⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c iiutlanheuhyszpprc.exe .1⤵PID:2764
-
C:\Windows\iiutlanheuhyszpprc.exeiiutlanheuhyszpprc.exe .2⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\iiutlanheuhyszpprc.exe*."3⤵PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wpizxokbwkhvniqhila.exe .2⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wpizxokbwkhvniqhila.exe*."3⤵PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c giwxrixtskzsoxprviky.exe1⤵PID:768
-
C:\Windows\giwxrixtskzsoxprviky.exegiwxrixtskzsoxprviky.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zyjhymyrncoexdsrs.exe .1⤵PID:4668
-
C:\Windows\zyjhymyrncoexdsrs.exezyjhymyrncoexdsrs.exe .2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe1⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\ldvliytjdqmzqkrhhj.exe2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe1⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exeC:\Users\Admin\AppData\Local\Temp\iiutlanheuhyszpprc.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .1⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exeC:\Users\Admin\AppData\Local\Temp\vlbpkyrfxicncuzn.exe .2⤵PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zyjhymyrncoexdsrs.exe .1⤵PID:4340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1732
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD51129fba3678e3ca624e19f174518bf09
SHA15c2cadf22167c9fd7190b8036f9d7ad9de2b971e
SHA256ebb4b50e45878716173eaf54f7dc2c9335d9225fd556ebd003714cad8d857242
SHA5120c88d9b62656ce9628dda940659a3f6bb5f5035f82e554efd11ad7e61debebb9bfb8bd83a1d60d2b0111d03ce8e841cfe9512c99d9cd91f64c3c68c64c4f4e4d
-
Filesize
272B
MD596599ffb7bf25e79ec64f7de3698d53c
SHA1a6cbe037146aedec302910c8b6cc9e6e4cb901b0
SHA256658359549a9bd39cd6fb1ed83c36b8ce2fe3837a1482112a7873643050592640
SHA512830eee2ca7a3601d7373f62d2eb842045bce84192c53f433be078f9094e81e1230460a35fd84ee0268e3794d185d321f1a56609f13fe7a6ba6907da71f0502e6
-
Filesize
272B
MD5513fa0ec9ff0dceb0e002b11f589efb0
SHA1066e59698b6c3c2b4e4fd45fc1a3561935afe2f2
SHA2567aee850b06d581e5ea28a1164589a8d40c8de7daeb1d259e3d126bded48625e8
SHA51212713d287de5798af1588abe27e7c37f325032e4e025bd2f613bd14bf4625186b3a1bf0ca77ae9aba8d81e35e3ca0e2e9399352cd26e885986866bb356b89e3b
-
Filesize
272B
MD5587c65595cc02c87229a6551fcbac505
SHA107e9f79488a5ace5d0c8894c9086cc8d22055798
SHA256fde674ddd5e1889be58e4a38dd320b02a312a22031f64526ae33d21a1bf2713e
SHA512ebf1f236270b6c355ceb8dc2c8be1f2fe7981ae56eaf43d7c63eb2590afed8053b3cd94b7e02e468a1d4c3029072a067babfd2c2601cdf7007218e4bcc97deac
-
Filesize
272B
MD5d3346d69f6ab696b031b3cf265f4ba98
SHA19ddf01ddf76222900d77b7aa4ac3ee45c7577d32
SHA2565a4d041a5d2142689c70b06e831a6ed6280ba85f7245521028c86fa3f7775e97
SHA5128b3545698872f88350c60fc1b75641226fc0d085d0a2e58e82a541a5196e17543f22e50aafa2ba9c15b27fbb73aa1cad43c9d4d5da533da12d372c624675d39a
-
Filesize
272B
MD5165c148bca3bc8bf179b68659aad1943
SHA1f19d70349ec4c6fc23f92928bf30956ac91a5de2
SHA256e8c7c78301ef51591207b034d9e7da31638340f5365c0a3556056fd4c19d6ab6
SHA51286433da1da720f2aa0e3b0bbcf7ecfc1e783972c32ddcfc2775cd63373654b9fbc0ddfae7104ac81603ba36433d1ebef333003cc84eb6b0b659dd9f140928e83
-
Filesize
712KB
MD58840ba8ead77c46006f18f0a5e621636
SHA1b64a649634f2c991cac7db7713ce2968c42d64ad
SHA256dc2854fb1f06e1587b948478d33199b455887610a9e77cfe31457ab1764efad0
SHA5125a2355c2e2a5fcf481027b3f1668111183c9331f4491f7674e59f905da5a810eb7455df631783cb5dfff6170d15a1e2621596acb5bef305688e110279814bcd8
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
3KB
MD57b8d41b7ed0766f975fabefec473277f
SHA104fcb18c13302d9f9456b15f6ffe208263dd2d47
SHA2567e5cf680f11154d70a9e4f13f11f7e40d973aa63742dd9726dbbddc7653378fe
SHA5123e0357611be96e2bfe0c9d59185bff0eb762dfb4bce236fb0225795a1245cadb57606cd16a9eea85ac958d985afdfbedd1aa24a478d1fd0180ac0e34124c3d4d
-
Filesize
272B
MD53465052c4c305148869e16796fdacdd5
SHA1fcfe6b53a8d257a7e02a2104693b920fb95b66da
SHA2561578e20e3f6f4b7d75d11ece2d20cd9e6e65fa81e33fe91acc029df28ee5d1e9
SHA512207ccbfee4728e1edc4b3a78c71a1e18e8de92d7e5c498796ca1137b225c4827baab76e9c3a50186e669e7ecd578c7702a4b86d1130457ba91b75a63857335d4
-
Filesize
556KB
MD5b838d06aa2f9970dfda79463310cf899
SHA17cb1355674415ed0f529a2917ab16e7c69dfaca2
SHA256858805f6ee17321afae6ca22e35791ac8e1391dfe77317d0c0681f4f43c08aa3
SHA5129ebe4450eb441af897555d3a59d723b8accf24fc1409948841d3adf238f88151ef06982db2befd7dc8bc153d35189a2c71941a02ccb9631c4c27932e84a6389d