Analysis
-
max time kernel
49s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2025, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe
-
Size
1016KB
-
MD5
b9c1a84350d1c4881dd1eac4ffb453b0
-
SHA1
e2c094bbe105e9ced9c996c140f4fb1ae5f48585
-
SHA256
19bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
-
SHA512
4122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c
-
SSDEEP
6144:KIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:KIXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fvhhqxgupfr.exe -
Pykspa family
-
UAC bypass 3 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023155-4.dat family_pykspa behavioral1/files/0x000700000002406f-79.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "erqkjdtsldpplvofywsfe.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "cnkczrfctjtrltkzqmg.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxcmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijwerzdqx = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fvhhqxgupfr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fvhhqxgupfr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation fvhhqxgupfr.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation irmcxnzujxfbtzobq.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation rbxokbokapyvovlzpk.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation cnkczrfctjtrltkzqmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation pbzsqjywofqpktlbtqlx.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation erqkjdtsldpplvofywsfe.exe Key value queried \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation bjdsmbmguhojaftf.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 fvhhqxgupfr.exe 4460 bjdsmbmguhojaftf.exe 4496 bjdsmbmguhojaftf.exe 2840 fvhhqxgupfr.exe 4616 erqkjdtsldpplvofywsfe.exe 4632 bjdsmbmguhojaftf.exe 1212 pbzsqjywofqpktlbtqlx.exe 4912 fvhhqxgupfr.exe 4920 bjdsmbmguhojaftf.exe 1128 pbzsqjywofqpktlbtqlx.exe 3948 fvhhqxgupfr.exe 4712 pbzsqjywofqpktlbtqlx.exe 5660 fvhhqxgupfr.exe 2224 pnxcmr.exe 1740 pnxcmr.exe 4040 erqkjdtsldpplvofywsfe.exe 2652 pbzsqjywofqpktlbtqlx.exe 760 cnkczrfctjtrltkzqmg.exe 3512 fvhhqxgupfr.exe 6120 bjdsmbmguhojaftf.exe 3068 bjdsmbmguhojaftf.exe 5244 rbxokbokapyvovlzpk.exe 4392 rbxokbokapyvovlzpk.exe 5076 rbxokbokapyvovlzpk.exe 3308 pbzsqjywofqpktlbtqlx.exe 4968 fvhhqxgupfr.exe 4676 bjdsmbmguhojaftf.exe 4656 cnkczrfctjtrltkzqmg.exe 6080 fvhhqxgupfr.exe 4864 fvhhqxgupfr.exe 4916 irmcxnzujxfbtzobq.exe 5068 bjdsmbmguhojaftf.exe 3500 bjdsmbmguhojaftf.exe 1184 rbxokbokapyvovlzpk.exe 4856 bjdsmbmguhojaftf.exe 3996 fvhhqxgupfr.exe 5008 pbzsqjywofqpktlbtqlx.exe 676 irmcxnzujxfbtzobq.exe 5176 fvhhqxgupfr.exe 5828 fvhhqxgupfr.exe 772 pbzsqjywofqpktlbtqlx.exe 3440 bjdsmbmguhojaftf.exe 944 fvhhqxgupfr.exe 3032 pbzsqjywofqpktlbtqlx.exe 920 fvhhqxgupfr.exe 940 pbzsqjywofqpktlbtqlx.exe 2020 fvhhqxgupfr.exe 1012 erqkjdtsldpplvofywsfe.exe 2484 erqkjdtsldpplvofywsfe.exe 5072 fvhhqxgupfr.exe 3424 fvhhqxgupfr.exe 2652 cnkczrfctjtrltkzqmg.exe 6120 irmcxnzujxfbtzobq.exe 5608 fvhhqxgupfr.exe 5952 rbxokbokapyvovlzpk.exe 5308 rbxokbokapyvovlzpk.exe 6060 bjdsmbmguhojaftf.exe 5576 cnkczrfctjtrltkzqmg.exe 1508 fvhhqxgupfr.exe 1456 pbzsqjywofqpktlbtqlx.exe 4412 rbxokbokapyvovlzpk.exe 5528 fvhhqxgupfr.exe 4968 fvhhqxgupfr.exe 1708 irmcxnzujxfbtzobq.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager pnxcmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys pnxcmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc pnxcmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power pnxcmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys pnxcmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc pnxcmr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "irmcxnzujxfbtzobq.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." pnxcmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "bjdsmbmguhojaftf.exe ." pnxcmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" pnxcmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "irmcxnzujxfbtzobq.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxokbokapyvovlzpk.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "erqkjdtsldpplvofywsfe.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "cnkczrfctjtrltkzqmg.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "irmcxnzujxfbtzobq.exe" pnxcmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "erqkjdtsldpplvofywsfe.exe" pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "bjdsmbmguhojaftf.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "erqkjdtsldpplvofywsfe.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" pnxcmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "irmcxnzujxfbtzobq.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "rbxokbokapyvovlzpk.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "pbzsqjywofqpktlbtqlx.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoardlcnxbth = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzsqjywofqpktlbtqlx.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdsmbmguhojaftf.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "rbxokbokapyvovlzpk.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoynxdsbjl = "cnkczrfctjtrltkzqmg.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdraoxcqyf = "bjdsmbmguhojaftf.exe" fvhhqxgupfr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkczrfctjtrltkzqmg.exe ." fvhhqxgupfr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkwdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcxnzujxfbtzobq.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnyozgwgpsj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkjdtsldpplvofywsfe.exe ." pnxcmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsdjl = "pbzsqjywofqpktlbtqlx.exe" fvhhqxgupfr.exe -
Checks whether UAC is enabled 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pnxcmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fvhhqxgupfr.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" pnxcmr.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 www.whatismyip.ca 28 whatismyip.everdot.org 30 www.showmyipaddress.com 33 whatismyipaddress.com 37 whatismyip.everdot.org 48 whatismyip.everdot.org 23 www.whatismyip.ca 24 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File created C:\Windows\SysWOW64\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm pnxcmr.exe File opened for modification C:\Windows\SysWOW64\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\SysWOW64\pbzsqjywofqpktlbtqlx.exe pnxcmr.exe File opened for modification C:\Windows\SysWOW64\gxaybztwtpfjjxupmoofi.jhb pnxcmr.exe File opened for modification C:\Windows\SysWOW64\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm pnxcmr.exe File opened for modification C:\Windows\SysWOW64\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm pnxcmr.exe File created C:\Program Files (x86)\bdraoxcqyfgvgfntbozbpymvaowdeted.rzm pnxcmr.exe File opened for modification C:\Program Files (x86)\gxaybztwtpfjjxupmoofi.jhb pnxcmr.exe File created C:\Program Files (x86)\gxaybztwtpfjjxupmoofi.jhb pnxcmr.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe pnxcmr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe pnxcmr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe pnxcmr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe pnxcmr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\bjdsmbmguhojaftf.exe pnxcmr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe pnxcmr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\erqkjdtsldpplvofywsfe.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\pbzsqjywofqpktlbtqlx.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\rbxokbokapyvovlzpk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\vjjeezqqkdqroztlfebppk.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\cnkczrfctjtrltkzqmg.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe File opened for modification C:\Windows\irmcxnzujxfbtzobq.exe fvhhqxgupfr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvhhqxgupfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxokbokapyvovlzpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjdsmbmguhojaftf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnkczrfctjtrltkzqmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erqkjdtsldpplvofywsfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbzsqjywofqpktlbtqlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irmcxnzujxfbtzobq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2224 pnxcmr.exe 2224 pnxcmr.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2224 pnxcmr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2712 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 86 PID 2624 wrote to memory of 2712 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 86 PID 2624 wrote to memory of 2712 2624 JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe 86 PID 972 wrote to memory of 4460 972 cmd.exe 89 PID 972 wrote to memory of 4460 972 cmd.exe 89 PID 972 wrote to memory of 4460 972 cmd.exe 89 PID 4536 wrote to memory of 4496 4536 cmd.exe 92 PID 4536 wrote to memory of 4496 4536 cmd.exe 92 PID 4536 wrote to memory of 4496 4536 cmd.exe 92 PID 4496 wrote to memory of 2840 4496 bjdsmbmguhojaftf.exe 95 PID 4496 wrote to memory of 2840 4496 bjdsmbmguhojaftf.exe 95 PID 4496 wrote to memory of 2840 4496 bjdsmbmguhojaftf.exe 95 PID 4788 wrote to memory of 4616 4788 cmd.exe 98 PID 4788 wrote to memory of 4616 4788 cmd.exe 98 PID 4788 wrote to memory of 4616 4788 cmd.exe 98 PID 5068 wrote to memory of 4632 5068 cmd.exe 101 PID 5068 wrote to memory of 4632 5068 cmd.exe 101 PID 5068 wrote to memory of 4632 5068 cmd.exe 101 PID 4960 wrote to memory of 1212 4960 cmd.exe 104 PID 4960 wrote to memory of 1212 4960 cmd.exe 104 PID 4960 wrote to memory of 1212 4960 cmd.exe 104 PID 4632 wrote to memory of 4912 4632 bjdsmbmguhojaftf.exe 105 PID 4632 wrote to memory of 4912 4632 bjdsmbmguhojaftf.exe 105 PID 4632 wrote to memory of 4912 4632 bjdsmbmguhojaftf.exe 105 PID 336 wrote to memory of 4920 336 cmd.exe 106 PID 336 wrote to memory of 4920 336 cmd.exe 106 PID 336 wrote to memory of 4920 336 cmd.exe 106 PID 5208 wrote to memory of 1128 5208 cmd.exe 179 PID 5208 wrote to memory of 1128 5208 cmd.exe 179 PID 5208 wrote to memory of 1128 5208 cmd.exe 179 PID 4920 wrote to memory of 3948 4920 bjdsmbmguhojaftf.exe 112 PID 4920 wrote to memory of 3948 4920 bjdsmbmguhojaftf.exe 112 PID 4920 wrote to memory of 3948 4920 bjdsmbmguhojaftf.exe 112 PID 1180 wrote to memory of 4712 1180 cmd.exe 113 PID 1180 wrote to memory of 4712 1180 cmd.exe 113 PID 1180 wrote to memory of 4712 1180 cmd.exe 113 PID 4712 wrote to memory of 5660 4712 pbzsqjywofqpktlbtqlx.exe 114 PID 4712 wrote to memory of 5660 4712 pbzsqjywofqpktlbtqlx.exe 114 PID 4712 wrote to memory of 5660 4712 pbzsqjywofqpktlbtqlx.exe 114 PID 2712 wrote to memory of 2224 2712 fvhhqxgupfr.exe 115 PID 2712 wrote to memory of 2224 2712 fvhhqxgupfr.exe 115 PID 2712 wrote to memory of 2224 2712 fvhhqxgupfr.exe 115 PID 2712 wrote to memory of 1740 2712 fvhhqxgupfr.exe 116 PID 2712 wrote to memory of 1740 2712 fvhhqxgupfr.exe 116 PID 2712 wrote to memory of 1740 2712 fvhhqxgupfr.exe 116 PID 3004 wrote to memory of 4040 3004 cmd.exe 124 PID 3004 wrote to memory of 4040 3004 cmd.exe 124 PID 3004 wrote to memory of 4040 3004 cmd.exe 124 PID 2332 wrote to memory of 2652 2332 cmd.exe 204 PID 2332 wrote to memory of 2652 2332 cmd.exe 204 PID 2332 wrote to memory of 2652 2332 cmd.exe 204 PID 5864 wrote to memory of 760 5864 cmd.exe 295 PID 5864 wrote to memory of 760 5864 cmd.exe 295 PID 5864 wrote to memory of 760 5864 cmd.exe 295 PID 2652 wrote to memory of 3512 2652 pbzsqjywofqpktlbtqlx.exe 274 PID 2652 wrote to memory of 3512 2652 pbzsqjywofqpktlbtqlx.exe 274 PID 2652 wrote to memory of 3512 2652 pbzsqjywofqpktlbtqlx.exe 274 PID 2500 wrote to memory of 6120 2500 cmd.exe 207 PID 2500 wrote to memory of 6120 2500 cmd.exe 207 PID 2500 wrote to memory of 6120 2500 cmd.exe 207 PID 3132 wrote to memory of 3068 3132 cmd.exe 145 PID 3132 wrote to memory of 3068 3132 cmd.exe 145 PID 3132 wrote to memory of 3068 3132 cmd.exe 145 PID 880 wrote to memory of 5244 880 cmd.exe 152 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer pnxcmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fvhhqxgupfr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" pnxcmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fvhhqxgupfr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_b9c1a84350d1c4881dd1eac4ffb453b0.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe"C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe" "-C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe"C:\Users\Admin\AppData\Local\Temp\pnxcmr.exe" "-C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵
- Executes dropped EXE
PID:2840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵
- Executes dropped EXE
PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵
- Executes dropped EXE
PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Executes dropped EXE
PID:5660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵
- Executes dropped EXE
PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5864 -
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵
- Executes dropped EXE
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵
- Executes dropped EXE
PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:5732
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵
- Executes dropped EXE
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵
- Executes dropped EXE
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:6120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5724
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵
- Executes dropped EXE
PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Executes dropped EXE
PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:3372
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵
- Executes dropped EXE
PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵
- Executes dropped EXE
PID:5176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Executes dropped EXE
PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:1548
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Executes dropped EXE
PID:944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:1064
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵
- Executes dropped EXE
PID:920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:4700
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:3440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5768
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- Executes dropped EXE
PID:772 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Executes dropped EXE
PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:3952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵
- Executes dropped EXE
PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:1808
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:3936
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵
- Executes dropped EXE
PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:2176
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵
- Executes dropped EXE
PID:5952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:2220
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵
- Executes dropped EXE
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:5876
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵
- Executes dropped EXE
PID:5576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵
- Executes dropped EXE
PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Executes dropped EXE
PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:4756
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵
- Executes dropped EXE
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:4400
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:5744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:4532
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵
- Executes dropped EXE
PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:4960
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:2156
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:4768
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:2544
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:4252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:3244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵
- System Location Discovery: System Language Discovery
PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:4896
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:3684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4820
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:1012
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:760
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:3908
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4752
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:1860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5072
-
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:3308
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:5760 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:3108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:1132
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4536
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:2344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5572
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:2544
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:5452
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3708
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:5948
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:2832
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:716
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:5736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5652
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:6052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:4468
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:1708
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:400
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:2408
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2020
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:4036
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:5444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5176
-
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:1072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:860
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:4712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4792
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5792
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:4484
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:5956
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:1192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:4416
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5608
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:3440
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:3712
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5476
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:4084
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:2716
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:2580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:5704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
PID:5176 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:1576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:2920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:4036
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:2768
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
PID:848 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:776
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1252
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2312
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:2320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:5224
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5776
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:4612
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:5464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3788
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
PID:5264 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
PID:5888 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5928
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5576
-
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:3516
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:1400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4860
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:3292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:3880
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1176
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:3120
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:4324
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:3740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:4484
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:2616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:5736
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:868
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:3972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3200
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:5000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:2156
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:4960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1064
-
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5504 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:5624
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:408
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:6072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4412
-
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:4744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5900
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:1316
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:1136
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:4112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5936
-
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5024
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:740 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:2844
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:5228
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵
- Checks computer location settings
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:2140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:1968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:5468
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:4176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3828
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5144
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:1072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:3168
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:1768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:5944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:2840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2528
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:4808
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:5244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:972
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:4036
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:5728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:2180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5328
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:1544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:2500
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4996
-
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:3980
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵
- Checks computer location settings
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:5392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:5296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:436
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:2012
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:3276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:5408
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:5920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:5788
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:1064
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:5964
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:3996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:4340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4116
-
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3556
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:4548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5300
-
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:1192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5380
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:4224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1528
-
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:4804
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:1772
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:5116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:5844
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:1944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5000
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:1576
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:1092
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:3976
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:6048
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:3688
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:5664
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:5240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:1000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5888
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:5592
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5744
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:6072
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:2112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:5528
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:1796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:5756
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:5028
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:6036
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:5388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:3512
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:4848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:5128
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:3972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:3352
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:6136
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:4916
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:5904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:4252
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:5524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3012
-
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:3880
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:5260
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:3164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:2180
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:1940
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:2824
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:2288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:3828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4472
-
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:6032
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:4392
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:1364
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:5296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:6028
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:6048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:2152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:6080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:224
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:3508
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:1268
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:2192
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:5888
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:5532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:1708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:700
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:5260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:4684
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:3444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3420
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:2532
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe .2⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\rbxokbokapyvovlzpk.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:1864
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:1940
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:3084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:5080
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:5164
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:5608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:3456
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:4664
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:3368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:5808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:5044
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .2⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe1⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exeC:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5660
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:4252
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:1040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:1136
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:744
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:1228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:5796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:2776
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:2904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:4680
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:2180
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:1968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4504
-
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:932
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:5940
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe1⤵PID:1092
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5792
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exeC:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe2⤵PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:3536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:3460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:2268
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe .1⤵PID:5264
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe .2⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:4740
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:5372
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:2620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe2⤵PID:2292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:4988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe1⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\bjdsmbmguhojaftf.exe*."3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe1⤵PID:5744
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe2⤵PID:1588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:2320
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:1544
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:6060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:428
-
C:\Windows\bjdsmbmguhojaftf.exebjdsmbmguhojaftf.exe .2⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\bjdsmbmguhojaftf.exe*."3⤵PID:100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe .2⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\erqkjdtsldpplvofywsfe.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe .2⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\irmcxnzujxfbtzobq.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:4824
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe2⤵PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe .1⤵PID:4536
-
C:\Windows\cnkczrfctjtrltkzqmg.execnkczrfctjtrltkzqmg.exe .2⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\cnkczrfctjtrltkzqmg.exe*."3⤵PID:1284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:3296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1132
-
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe1⤵PID:4032
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c rbxokbokapyvovlzpk.exe .1⤵PID:512
-
C:\Windows\rbxokbokapyvovlzpk.exerbxokbokapyvovlzpk.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\rbxokbokapyvovlzpk.exe*."3⤵PID:3704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:3192
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe .2⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\irmcxnzujxfbtzobq.exe*."3⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe1⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exeC:\Users\Admin\AppData\Local\Temp\irmcxnzujxfbtzobq.exe2⤵PID:3152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .1⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exeC:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe .2⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\users\admin\appdata\local\temp\pbzsqjywofqpktlbtqlx.exe*."3⤵PID:5708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe1⤵PID:5784
-
C:\Windows\irmcxnzujxfbtzobq.exeirmcxnzujxfbtzobq.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pbzsqjywofqpktlbtqlx.exe1⤵PID:4788
-
C:\Windows\pbzsqjywofqpktlbtqlx.exepbzsqjywofqpktlbtqlx.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c erqkjdtsldpplvofywsfe.exe .1⤵PID:5824
-
C:\Windows\erqkjdtsldpplvofywsfe.exeerqkjdtsldpplvofywsfe.exe .2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe"C:\Users\Admin\AppData\Local\Temp\fvhhqxgupfr.exe" "c:\windows\erqkjdtsldpplvofywsfe.exe*."3⤵PID:4020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exeC:\Users\Admin\AppData\Local\Temp\erqkjdtsldpplvofywsfe.exe2⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c irmcxnzujxfbtzobq.exe .1⤵PID:5012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .1⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exeC:\Users\Admin\AppData\Local\Temp\bjdsmbmguhojaftf.exe .2⤵PID:4828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rbxokbokapyvovlzpk.exe1⤵PID:5468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnkczrfctjtrltkzqmg.exe .1⤵PID:828
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cnkczrfctjtrltkzqmg.exe1⤵PID:5780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bjdsmbmguhojaftf.exe .1⤵PID:3436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pbzsqjywofqpktlbtqlx.exe1⤵PID:2712
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5838bacd7ba6249144711a2bf8bc7b80a
SHA1de953447809e72922c5299fa2c9a8ff73c805f98
SHA256f820f58c72644862a9ded05cb9cc6353baebcdac479309237858b41a300a303c
SHA512a5dc6e35d037b286e4bf92c68d001eb0d2885b88651cdc75cc89f7e0d0fc348bbaefe00217945dc79947371865eeeb52f96e82b7cc32e466a274f307c86a60d1
-
Filesize
716KB
MD59559ab86c1345c15b5ef71e5cd032cc2
SHA1b79c3d6551f1c9584e5d0f37fd31c65a66e7cd4f
SHA2562c0e0f3d504d7162a98503f23918d0f96e5529796a677400ab985752f64b463f
SHA51291d2ca94e6d014d8fc0178b98094b1654f1f1717e81d6eb4e858fb63acdcb0fcd77eafea951034af4892f21f850af05828beb2a70f50ec7a581e4bc7c29f0dfb
-
Filesize
4KB
MD50b7a36ecadd0b17904ed4e205eef30fb
SHA1790aabc147c4f8f280ba9fd2605649ad9ff6a5fa
SHA256256325344a62f486d85c9cbc6adf2fc072382e7559d193e699003e650b1d1ffa
SHA512f84d1b13c9a850660923bfc1962efbbbfa42743b8416611334ae380e933065ff62dc063d4a19226d6c2e9d98ac0acb3a1b39a4047b962ca624bdfb51c08a6ab7
-
Filesize
280B
MD574899d647faec4471aec7c976d6c43eb
SHA1e0939c94e8ce0864b0bf7c284293124ea178e6d7
SHA256196a96f9c2de6b3055a012686a61960335a82a227b5fa177bb90767046d251d2
SHA5122e189012e53008632e48a8f585959b7bfa6b8a1838a451e9534a723a4a880aa7a4e271fac2969a60e69836cba000fa9249f0ea459552bbe3601f90ab4d6dfc91
-
Filesize
1016KB
MD5b9c1a84350d1c4881dd1eac4ffb453b0
SHA1e2c094bbe105e9ced9c996c140f4fb1ae5f48585
SHA25619bfc62f4162a8399e6c22f14721710d96007e027aaa8154e3d80bb725c360e4
SHA5124122450a3b2fb3698229b12cac896378eee63798ca6c928addfd1a5fdd4af87001c55b19a3072e643bc8586a596f4af6f1b1920c15aa63404212636329da192c