Analysis
-
max time kernel
43s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2025, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe
-
Size
596KB
-
MD5
bad3aa8bfd42552d828c35c8202f43f6
-
SHA1
8e4baedd28bfa1b0cad3643a3dee24449a0a1df9
-
SHA256
395f67fccccbea1c99cb243f2ff7994bfc211a19b3e3b583be219265b060d828
-
SHA512
ec58caa9b81e0f590f38b2592fab525b2f1efd3ab7fe89009dfc6bf8cf35c713d487f2ae9038175545261e3071901ec82699e302b07159de0543727c8a430421
-
SSDEEP
6144:1IXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUBoIgw4aRpgv6:1IXsgtvm1De5YlOx6lzBH46UBoFS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" tzjwwfytdjt.exe -
Pykspa family
-
UAC bypass 3 TTPs 28 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000b000000024068-4.dat family_pykspa behavioral1/files/0x000400000001e72f-80.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "wtfdsnifyjhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "yxllczwvqddtnkunqvmlz.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "yxllczwvqddtnkunqvmlz.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "wtfdsnifyjhvniqhila.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jtsdfn = "cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ipl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tzjwwfytdjt.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lhspdxrnfpmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lhspdxrnfpmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lhspdxrnfpmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation tzjwwfytdjt.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation wtfdsnifyjhvniqhila.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation jhutjfbztfetmirjlpfd.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lhspdxrnfpmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation vpytfxpjzhcncuzn.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation lhspdxrnfpmzqkrhhj.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation cxhdqjcxoxtfvouji.exe Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation yxllczwvqddtnkunqvmlz.exe -
Executes dropped EXE 64 IoCs
pid Process 4128 tzjwwfytdjt.exe 1724 jhutjfbztfetmirjlpfd.exe 4428 jhutjfbztfetmirjlpfd.exe 836 tzjwwfytdjt.exe 1220 jhutjfbztfetmirjlpfd.exe 760 vpytfxpjzhcncuzn.exe 3068 vpytfxpjzhcncuzn.exe 1508 tzjwwfytdjt.exe 1944 wtfdsnifyjhvniqhila.exe 1196 tzjwwfytdjt.exe 1836 yxllczwvqddtnkunqvmlz.exe 3628 wtfdsnifyjhvniqhila.exe 3832 tzjwwfytdjt.exe 2980 jtsdfn.exe 4712 jtsdfn.exe 5032 yxllczwvqddtnkunqvmlz.exe 4496 yxllczwvqddtnkunqvmlz.exe 1620 wtfdsnifyjhvniqhila.exe 3048 wtfdsnifyjhvniqhila.exe 552 tzjwwfytdjt.exe 2828 tzjwwfytdjt.exe 1856 vpytfxpjzhcncuzn.exe 5060 cxhdqjcxoxtfvouji.exe 4848 cxhdqjcxoxtfvouji.exe 5064 jhutjfbztfetmirjlpfd.exe 2856 vpytfxpjzhcncuzn.exe 3716 yxllczwvqddtnkunqvmlz.exe 3576 jhutjfbztfetmirjlpfd.exe 3424 vpytfxpjzhcncuzn.exe 3656 cxhdqjcxoxtfvouji.exe 2120 yxllczwvqddtnkunqvmlz.exe 1140 wtfdsnifyjhvniqhila.exe 724 lhspdxrnfpmzqkrhhj.exe 1620 cxhdqjcxoxtfvouji.exe 2040 jhutjfbztfetmirjlpfd.exe 1836 yxllczwvqddtnkunqvmlz.exe 1528 cxhdqjcxoxtfvouji.exe 1688 vpytfxpjzhcncuzn.exe 4436 tzjwwfytdjt.exe 2296 tzjwwfytdjt.exe 4188 tzjwwfytdjt.exe 4888 tzjwwfytdjt.exe 3196 tzjwwfytdjt.exe 1000 tzjwwfytdjt.exe 4868 tzjwwfytdjt.exe 3380 tzjwwfytdjt.exe 760 vpytfxpjzhcncuzn.exe 620 vpytfxpjzhcncuzn.exe 4428 jhutjfbztfetmirjlpfd.exe 4596 tzjwwfytdjt.exe 2680 tzjwwfytdjt.exe 396 vpytfxpjzhcncuzn.exe 1264 yxllczwvqddtnkunqvmlz.exe 3664 tzjwwfytdjt.exe 1132 jhutjfbztfetmirjlpfd.exe 392 vpytfxpjzhcncuzn.exe 4024 yxllczwvqddtnkunqvmlz.exe 2752 tzjwwfytdjt.exe 4364 wtfdsnifyjhvniqhila.exe 464 cxhdqjcxoxtfvouji.exe 5020 jhutjfbztfetmirjlpfd.exe 3956 yxllczwvqddtnkunqvmlz.exe 3308 tzjwwfytdjt.exe 3476 cxhdqjcxoxtfvouji.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys jtsdfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc jtsdfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager jtsdfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys jtsdfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jtsdfn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jtsdfn.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "cxhdqjcxoxtfvouji.exe ." jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "vpytfxpjzhcncuzn.exe" jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe ." jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "lhspdxrnfpmzqkrhhj.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "wtfdsnifyjhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "yxllczwvqddtnkunqvmlz.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe ." jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lxylpzjv = "lhspdxrnfpmzqkrhhj.exe ." jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "cxhdqjcxoxtfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lxylpzjv = "yxllczwvqddtnkunqvmlz.exe ." jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "wtfdsnifyjhvniqhila.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lxylpzjv = "jhutjfbztfetmirjlpfd.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "jhutjfbztfetmirjlpfd.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vpytfxpjzhcncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "cxhdqjcxoxtfvouji.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "vpytfxpjzhcncuzn.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "jhutjfbztfetmirjlpfd.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "wtfdsnifyjhvniqhila.exe ." jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhspdxrnfpmzqkrhhj.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cprfkvgtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "jhutjfbztfetmirjlpfd.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "yxllczwvqddtnkunqvmlz.exe ." jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxud = "cxhdqjcxoxtfvouji.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "jhutjfbztfetmirjlpfd.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vjmbhtftdf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe" jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe" jtsdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "cxhdqjcxoxtfvouji.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtfdsnifyjhvniqhila.exe ." tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yhfpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhutjfbztfetmirjlpfd.exe ." jtsdfn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "vpytfxpjzhcncuzn.exe" tzjwwfytdjt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\whhtwfo = "yxllczwvqddtnkunqvmlz.exe" tzjwwfytdjt.exe -
Checks whether UAC is enabled 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jtsdfn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jtsdfn.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 www.showmyipaddress.com 28 whatismyipaddress.com 33 whatismyip.everdot.org 36 www.whatismyip.ca 42 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yhfpqxenspzzdkehujktrbcjqze.llp jtsdfn.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe jtsdfn.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\SysWOW64\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\yhfpqxenspzzdkehujktrbcjqze.llp jtsdfn.exe File created C:\Program Files (x86)\yhfpqxenspzzdkehujktrbcjqze.llp jtsdfn.exe File opened for modification C:\Program Files (x86)\vpytfxpjzhcncuznllxravhzrlbjepewbpnnzt.xjb jtsdfn.exe File created C:\Program Files (x86)\vpytfxpjzhcncuznllxravhzrlbjepewbpnnzt.xjb jtsdfn.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe jtsdfn.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuznllxravhzrlbjepewbpnnzt.xjb jtsdfn.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe jtsdfn.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File created C:\Windows\vpytfxpjzhcncuznllxravhzrlbjepewbpnnzt.xjb jtsdfn.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe jtsdfn.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe jtsdfn.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe jtsdfn.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe jtsdfn.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe jtsdfn.exe File opened for modification C:\Windows\jhutjfbztfetmirjlpfd.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe File opened for modification C:\Windows\ppefxvttpdevqoztxdvvkl.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe tzjwwfytdjt.exe File opened for modification C:\Windows\vpytfxpjzhcncuzn.exe jtsdfn.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\wtfdsnifyjhvniqhila.exe tzjwwfytdjt.exe File opened for modification C:\Windows\cxhdqjcxoxtfvouji.exe tzjwwfytdjt.exe File opened for modification C:\Windows\yxllczwvqddtnkunqvmlz.exe tzjwwfytdjt.exe File opened for modification C:\Windows\lhspdxrnfpmzqkrhhj.exe tzjwwfytdjt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhutjfbztfetmirjlpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhspdxrnfpmzqkrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpytfxpjzhcncuzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxhdqjcxoxtfvouji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxllczwvqddtnkunqvmlz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wtfdsnifyjhvniqhila.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4712 jtsdfn.exe 4712 jtsdfn.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 4712 jtsdfn.exe 4712 jtsdfn.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4712 jtsdfn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 4128 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 88 PID 432 wrote to memory of 4128 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 88 PID 432 wrote to memory of 4128 432 JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe 88 PID 2952 wrote to memory of 1724 2952 cmd.exe 91 PID 2952 wrote to memory of 1724 2952 cmd.exe 91 PID 2952 wrote to memory of 1724 2952 cmd.exe 91 PID 4696 wrote to memory of 4428 4696 cmd.exe 94 PID 4696 wrote to memory of 4428 4696 cmd.exe 94 PID 4696 wrote to memory of 4428 4696 cmd.exe 94 PID 4428 wrote to memory of 836 4428 jhutjfbztfetmirjlpfd.exe 95 PID 4428 wrote to memory of 836 4428 jhutjfbztfetmirjlpfd.exe 95 PID 4428 wrote to memory of 836 4428 jhutjfbztfetmirjlpfd.exe 95 PID 4452 wrote to memory of 1220 4452 cmd.exe 100 PID 4452 wrote to memory of 1220 4452 cmd.exe 100 PID 4452 wrote to memory of 1220 4452 cmd.exe 100 PID 4032 wrote to memory of 760 4032 cmd.exe 103 PID 4032 wrote to memory of 760 4032 cmd.exe 103 PID 4032 wrote to memory of 760 4032 cmd.exe 103 PID 3092 wrote to memory of 3068 3092 cmd.exe 106 PID 3092 wrote to memory of 3068 3092 cmd.exe 106 PID 3092 wrote to memory of 3068 3092 cmd.exe 106 PID 760 wrote to memory of 1508 760 vpytfxpjzhcncuzn.exe 107 PID 760 wrote to memory of 1508 760 vpytfxpjzhcncuzn.exe 107 PID 760 wrote to memory of 1508 760 vpytfxpjzhcncuzn.exe 107 PID 5108 wrote to memory of 1944 5108 cmd.exe 108 PID 5108 wrote to memory of 1944 5108 cmd.exe 108 PID 5108 wrote to memory of 1944 5108 cmd.exe 108 PID 1944 wrote to memory of 1196 1944 wtfdsnifyjhvniqhila.exe 111 PID 1944 wrote to memory of 1196 1944 wtfdsnifyjhvniqhila.exe 111 PID 1944 wrote to memory of 1196 1944 wtfdsnifyjhvniqhila.exe 111 PID 1680 wrote to memory of 1836 1680 cmd.exe 207 PID 1680 wrote to memory of 1836 1680 cmd.exe 207 PID 1680 wrote to memory of 1836 1680 cmd.exe 207 PID 4504 wrote to memory of 3628 4504 cmd.exe 115 PID 4504 wrote to memory of 3628 4504 cmd.exe 115 PID 4504 wrote to memory of 3628 4504 cmd.exe 115 PID 3628 wrote to memory of 3832 3628 wtfdsnifyjhvniqhila.exe 116 PID 3628 wrote to memory of 3832 3628 wtfdsnifyjhvniqhila.exe 116 PID 3628 wrote to memory of 3832 3628 wtfdsnifyjhvniqhila.exe 116 PID 4128 wrote to memory of 2980 4128 tzjwwfytdjt.exe 117 PID 4128 wrote to memory of 2980 4128 tzjwwfytdjt.exe 117 PID 4128 wrote to memory of 2980 4128 tzjwwfytdjt.exe 117 PID 4128 wrote to memory of 4712 4128 tzjwwfytdjt.exe 118 PID 4128 wrote to memory of 4712 4128 tzjwwfytdjt.exe 118 PID 4128 wrote to memory of 4712 4128 tzjwwfytdjt.exe 118 PID 2596 wrote to memory of 5032 2596 cmd.exe 125 PID 2596 wrote to memory of 5032 2596 cmd.exe 125 PID 2596 wrote to memory of 5032 2596 cmd.exe 125 PID 4584 wrote to memory of 4496 4584 cmd.exe 210 PID 4584 wrote to memory of 4496 4584 cmd.exe 210 PID 4584 wrote to memory of 4496 4584 cmd.exe 210 PID 1064 wrote to memory of 1620 1064 cmd.exe 281 PID 1064 wrote to memory of 1620 1064 cmd.exe 281 PID 1064 wrote to memory of 1620 1064 cmd.exe 281 PID 2976 wrote to memory of 3048 2976 cmd.exe 131 PID 2976 wrote to memory of 3048 2976 cmd.exe 131 PID 2976 wrote to memory of 3048 2976 cmd.exe 131 PID 1620 wrote to memory of 552 1620 wtfdsnifyjhvniqhila.exe 141 PID 1620 wrote to memory of 552 1620 wtfdsnifyjhvniqhila.exe 141 PID 1620 wrote to memory of 552 1620 wtfdsnifyjhvniqhila.exe 141 PID 3048 wrote to memory of 2828 3048 wtfdsnifyjhvniqhila.exe 253 PID 3048 wrote to memory of 2828 3048 wtfdsnifyjhvniqhila.exe 253 PID 3048 wrote to memory of 2828 3048 wtfdsnifyjhvniqhila.exe 253 PID 1664 wrote to memory of 1856 1664 cmd.exe 330 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjwwfytdjt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jtsdfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jtsdfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jtsdfn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bad3aa8bfd42552d828c35c8202f43f6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bad3aa8bfd42552d828c35c8202f43f6.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\jtsdfn.exe"C:\Users\Admin\AppData\Local\Temp\jtsdfn.exe" "-C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\jtsdfn.exe"C:\Users\Admin\AppData\Local\Temp\jtsdfn.exe" "-C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵
- Executes dropped EXE
PID:836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵
- Executes dropped EXE
PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵
- Executes dropped EXE
PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵
- Executes dropped EXE
PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵
- Executes dropped EXE
PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4608
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4852
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵
- Executes dropped EXE
PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:4148
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵
- Executes dropped EXE
PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵
- Executes dropped EXE
PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵
- Executes dropped EXE
PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵
- Executes dropped EXE
PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵
- Executes dropped EXE
PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:724 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵
- Executes dropped EXE
PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4376
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3684
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Executes dropped EXE
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵
- Executes dropped EXE
PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:2008
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:1384
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵
- Executes dropped EXE
PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵
- Executes dropped EXE
PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:68
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2040
-
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵
- Executes dropped EXE
PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:1512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1836
-
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵
- Executes dropped EXE
PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4496
-
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:1256
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:392 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵
- Executes dropped EXE
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:1620
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵
- Executes dropped EXE
PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:716
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:464 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3868
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵
- Executes dropped EXE
PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:228
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:1696
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:2856
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:3884
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:2644
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:4112
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:1344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4524
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:928
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4480
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:5108
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:4500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- System Location Discovery: System Language Discovery
PID:724 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:3916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
PID:808 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:1352
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:1384
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:1548
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:3304
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:2984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:2120
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:208
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:2652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:4032
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:2896
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:4504
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4064
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4608
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:4980
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:2092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4024
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:1668
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:1824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4540
-
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:5064
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:2728
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:4376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3512
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:620 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:2928
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4420
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:2856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:3468
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3656
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:3052
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:3112
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:1628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:1616
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:2632
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:3692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:3452
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4584
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:1000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4692
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:4528
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4852
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:904
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:2644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:744 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:2500
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:1616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4604
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
PID:716 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:840
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:3908
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:3428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:2132
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:952
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:1064
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:388
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:436 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:3856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3452
-
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4980
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:1844
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:1840
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:1264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3552
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:1936
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:2928
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:2692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:1616
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4944
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:840
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4384
-
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:2680
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:4900
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:4064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:2552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:2632
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4024
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:3820
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3212
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:4764
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:1416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4708
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:2952
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:464 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵
- Checks computer location settings
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4512
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵
- Checks computer location settings
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:1216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4064
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:4768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:1160
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:1792
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:1756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:2608
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵
- Checks computer location settings
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:1612
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵
- Checks computer location settings
PID:208 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:1548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3944
-
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4964
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:2204
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4632
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3908
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3644
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:1844
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:2952
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:4160
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:3328
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:1216
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4680
-
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:3552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:4952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:4776
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:4468
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:2340
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:1256
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:5060
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4928
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:620
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:5044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:3544
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:3692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:4472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:3468
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:4220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:2296
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:208
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:1876
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:2008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:3660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:4908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4668
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3388
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:528
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:3000
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:2956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:4928
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3452
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:232
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:3496
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4804
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:1416
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4584
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:4888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:5108
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:4236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:3248
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:1192
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:448
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4496
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3884
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:1256
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:1504
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:1948
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:4204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:1328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:4380
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:836
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4980
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:2412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4700
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:2180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:2132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:3208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:2144
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:4440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:1064
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:4148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4320
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:3692
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:1160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:2208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:3404
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:1508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:3656
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:68
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:4496
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:2144
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:3584
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:3440
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:2100
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:2540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:2928
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:2968
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:1508
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:2184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:2536
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4024
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:3744
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:724
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:1664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:2452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:3388
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:680
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:1796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3984
-
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:3492
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:3536
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe .2⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\wtfdsnifyjhvniqhila.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe .2⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:2984
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:392
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:528
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4852
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:5068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:1840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:3308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2460
-
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:3912
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:68
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:3404
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:2932
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:3936
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:4600
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:880
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe1⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exeC:\Users\Admin\AppData\Local\Temp\wtfdsnifyjhvniqhila.exe2⤵PID:680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4112
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:3456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:3576
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:1976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe1⤵PID:1188
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:4188
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe .2⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\wtfdsnifyjhvniqhila.exe*."3⤵PID:3956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:1040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:2956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe1⤵PID:4680
-
C:\Windows\wtfdsnifyjhvniqhila.exewtfdsnifyjhvniqhila.exe2⤵PID:1768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe .1⤵PID:4764
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe .2⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:2448
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:4492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:5024
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:4588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:3304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:3448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\lhspdxrnfpmzqkrhhj.exe*."3⤵PID:2864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe1⤵PID:5032
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:3368
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe .2⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\jhutjfbztfetmirjlpfd.exe*."3⤵PID:4112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:4144
-
C:\Windows\jhutjfbztfetmirjlpfd.exejhutjfbztfetmirjlpfd.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:4448
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:1688
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:1824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\vpytfxpjzhcncuzn.exe*."3⤵PID:2692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yxllczwvqddtnkunqvmlz.exe .1⤵PID:4376
-
C:\Windows\yxllczwvqddtnkunqvmlz.exeyxllczwvqddtnkunqvmlz.exe .2⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\yxllczwvqddtnkunqvmlz.exe*."3⤵PID:2608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c lhspdxrnfpmzqkrhhj.exe1⤵PID:3156
-
C:\Windows\lhspdxrnfpmzqkrhhj.exelhspdxrnfpmzqkrhhj.exe2⤵PID:1316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:704
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:4680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe1⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exeC:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe .1⤵PID:1408
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe .2⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\cxhdqjcxoxtfvouji.exe*."3⤵PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vpytfxpjzhcncuzn.exe .1⤵PID:2748
-
C:\Windows\vpytfxpjzhcncuzn.exevpytfxpjzhcncuzn.exe .2⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\windows\vpytfxpjzhcncuzn.exe*."3⤵PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .2⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\cxhdqjcxoxtfvouji.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe1⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exeC:\Users\Admin\AppData\Local\Temp\yxllczwvqddtnkunqvmlz.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cxhdqjcxoxtfvouji.exe1⤵PID:4320
-
C:\Windows\cxhdqjcxoxtfvouji.execxhdqjcxoxtfvouji.exe2⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .1⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe .2⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe"C:\Users\Admin\AppData\Local\Temp\tzjwwfytdjt.exe" "c:\users\admin\appdata\local\temp\jhutjfbztfetmirjlpfd.exe*."3⤵PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wtfdsnifyjhvniqhila.exe .1⤵PID:2712
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe .1⤵PID:4588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exeC:\Users\Admin\AppData\Local\Temp\cxhdqjcxoxtfvouji.exe2⤵PID:3984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exeC:\Users\Admin\AppData\Local\Temp\lhspdxrnfpmzqkrhhj.exe .2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exeC:\Users\Admin\AppData\Local\Temp\jhutjfbztfetmirjlpfd.exe2⤵PID:1512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe1⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vpytfxpjzhcncuzn.exe .1⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhutjfbztfetmirjlpfd.exe .1⤵PID:4032
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5ab638622cb533da9fe836b1458140cf8
SHA1cb198cdc7234b5ab06c157110746c9e152f686b6
SHA25676fb48e6e47343bc5a030b7fa77d196648fb3ca012e059a7b84e0f0f84cde30e
SHA51258219f36b4d9d44e981e9893f28998db62b883082578662153ac0d6e15ae95606af11f9f4a2d57aaeac37c0672cb4e95596a750b42d18c14c6eb9e371953423d
-
Filesize
280B
MD5b22c0e6ca59117185c120924c7dcd2f1
SHA13ea95f391b7ac752e47095ff6c004569d54fcdfe
SHA2564edfec49c3842d76627b78bc5e838a7399f9d44c2ef2ba50412afdc2e765b7ca
SHA5129c5586500936fb010512f76c978b6ba068855ae35af13deb3e3472e5d3b659dbf048e3ad3cb71bd34df69d34cd4ad42eba7856ae8e853c6202bed841b8de0133
-
Filesize
280B
MD5662a2990918ae049abe259e844e7bcc8
SHA149f893412f2405b3784e00d22ef232d81049a673
SHA2563ff1d090c1f1dd16a068e529133c461a79240333f8d30d0cdc78da37bbd82153
SHA5122d76275597a17819b30db0b4c30f1b1687bd1cb1c8d9a17c4a33fa70038a2c51965e9634f4f69788cd8223f1a7ff631581ae56eaa51f161191178c28c7307da1
-
Filesize
280B
MD521600d07ef36416b4a45d352784349cb
SHA1f89ac7afe8754d3960312ac0211fa2a8df196887
SHA256c2195d329deaaa73fa9160b9d5b35c1048d51a23d1055e9e793d3abb95bccbe6
SHA51229ebf1392461e6c564a101d835b6ac202bbefe9221af21c4bf54b469def30535496457128f1e1950070b40ab8234c2da01d0f865b70ddbfd109ea1c05b479585
-
Filesize
280B
MD575c0ef275bdb91630194f2a43ad71dc5
SHA19a30ae72d596f26a8755d4666b3221cdacbb493f
SHA256b6421523d3586a0aad947f398406995ba7e4227cc34d7f550062387a489a58bb
SHA512324f32ead5154d8d6f11c36af8da3446e6b7988f0488c346ce139844dbf5d0f6c95d5fc8be9e9bc37aa59070cc1534081878b6b2c7c412c683909b9a14acb092
-
Filesize
280B
MD5d5ffbef2279801c8cd8c6dd6f343bec1
SHA15b1b2cbc8fcc2fcc3882eb173b0ced764c6c338a
SHA256bfba5f0a197ac704828e034e8f8c825fd9338aa036f9bbe4f512ca030d8b433d
SHA5129612493fc46fee9fe07401219949718cc9d61f09fb398abdad106b1034209217aea1c0a5020314c84edcc53506dbf28783bbf1e7db49884c4a7dfd44969c8a3b
-
Filesize
712KB
MD5e92f9595f72b20c9d968f9bf2a9690eb
SHA146262e2f27699229b28f6e37ecad434a713335eb
SHA256b958879dba42160566a237c89fc577c9e50f08bb8d8928706cee249c00fe663a
SHA51212208838475338c614951e466db0b94ba78c38d92e2ae02ae70e18ebbc39a76401decb30b109d6c56175112bdcefe3d9fca6b8a0c0f177d44af30d200d5c0914
-
Filesize
320KB
MD5edc443a01eae017b205529f71d9bbd75
SHA1028522b9b5ed1d14bb20955e4b2cb2b2f340037e
SHA2560e90aa289f66161994bf43ee96474fb76e2638e3645f4634e45c181131ef4541
SHA5127404166be1675f8a96d0f7886f41bba267e456d298227a93d6c0e79e77dc27bc8c5f66cfde14322f3cb1dfb5645b78c475fa7e92cbd95e48516be21adc6b8913
-
Filesize
4KB
MD5805ad68345efdb7a9aaa4e078ac70dc8
SHA1df8e62eb2fcfb29a101840473271f0f0d547aa0d
SHA25641728293d0271a6fa4fd4c8594df7ea2e642431a4228cacb93933adb426e498c
SHA512a6edaf119b9f4472226e5eea628b00908779b3ae3faead4845debc790ea162140c7c59518ff32438019186cc082db174b1aa2d2ece80dd5c0f5b0ac82f3f431f
-
Filesize
280B
MD5a753c7ab968fc71dbbd9004d96da3a05
SHA1c8c59d8f42312dd5a7895ee4d1b2af58ddd4cd3a
SHA25600452d65c02da6181ff0ddc28adb5700717c930e4945b36ec26e14b7951b4605
SHA51247e3923e9c79e207dc6aa76d018907acec6101e5c5b728d0a0ad57428ea000eb8ee6ed27d27876ce8bf0591688b17bbeae5dd866167f9c2efcf932dbfb2d87ca
-
Filesize
596KB
MD5bad3aa8bfd42552d828c35c8202f43f6
SHA18e4baedd28bfa1b0cad3643a3dee24449a0a1df9
SHA256395f67fccccbea1c99cb243f2ff7994bfc211a19b3e3b583be219265b060d828
SHA512ec58caa9b81e0f590f38b2592fab525b2f1efd3ab7fe89009dfc6bf8cf35c713d487f2ae9038175545261e3071901ec82699e302b07159de0543727c8a430421