Analysis
-
max time kernel
56s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
Resource
win11-20250411-en
General
-
Target
JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe
-
Size
968KB
-
MD5
bbd7b871140426c0f77e65b9c18dbcf1
-
SHA1
f107fdc5b346882994efb09ba63b85e696679e4d
-
SHA256
2e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
-
SHA512
c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322
-
SSDEEP
12288:/pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqs0yDYilDLvxtJzzxHs0oPYJaf4Db:/pUNr6YkVRFkgbeqeo68FhqsnvzKT+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rfyzcmqobpi.exe -
Pykspa family
-
UAC bypass 3 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x000c000000024139-4.dat family_pykspa behavioral1/files/0x000700000002426f-106.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "hhwqkfatqhczblxqdkdd.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "wxnidzvpnfbzcnauiqklb.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jxaiqzip = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\whhmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rfyzcmqobpi.exe -
Disables RegEdit via registry modification 27 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whhmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whhmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whhmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whhmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation axjarjbrlzrlkraqa.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation uthatnhzvlfbclwoagy.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation jhumexqhcrkffnxoze.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation hhwqkfatqhczblxqdkdd.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation wxnidzvpnfbzcnauiqklb.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation tpaqgxodwjatrxfu.exe -
Executes dropped EXE 64 IoCs
pid Process 5688 rfyzcmqobpi.exe 4968 axjarjbrlzrlkraqa.exe 3648 jhumexqhcrkffnxoze.exe 4964 rfyzcmqobpi.exe 5400 tpaqgxodwjatrxfu.exe 4140 uthatnhzvlfbclwoagy.exe 4328 hhwqkfatqhczblxqdkdd.exe 4796 uthatnhzvlfbclwoagy.exe 2380 rfyzcmqobpi.exe 5300 rfyzcmqobpi.exe 1432 tpaqgxodwjatrxfu.exe 1860 tpaqgxodwjatrxfu.exe 1520 rfyzcmqobpi.exe 6060 whhmr.exe 4484 whhmr.exe 1236 axjarjbrlzrlkraqa.exe 5828 uthatnhzvlfbclwoagy.exe 3268 hhwqkfatqhczblxqdkdd.exe 3124 rfyzcmqobpi.exe 632 uthatnhzvlfbclwoagy.exe 5716 uthatnhzvlfbclwoagy.exe 6088 rfyzcmqobpi.exe 5696 wxnidzvpnfbzcnauiqklb.exe 6000 uthatnhzvlfbclwoagy.exe 4924 wxnidzvpnfbzcnauiqklb.exe 3988 uthatnhzvlfbclwoagy.exe 6040 tpaqgxodwjatrxfu.exe 4700 rfyzcmqobpi.exe 4948 axjarjbrlzrlkraqa.exe 4492 rfyzcmqobpi.exe 5032 rfyzcmqobpi.exe 5260 tpaqgxodwjatrxfu.exe 6032 uthatnhzvlfbclwoagy.exe 1284 tpaqgxodwjatrxfu.exe 3060 uthatnhzvlfbclwoagy.exe 1004 tpaqgxodwjatrxfu.exe 5300 jhumexqhcrkffnxoze.exe 6096 rfyzcmqobpi.exe 624 rfyzcmqobpi.exe 2152 rfyzcmqobpi.exe 1280 hhwqkfatqhczblxqdkdd.exe 2356 uthatnhzvlfbclwoagy.exe 1192 rfyzcmqobpi.exe 1224 axjarjbrlzrlkraqa.exe 5996 hhwqkfatqhczblxqdkdd.exe 1088 hhwqkfatqhczblxqdkdd.exe 3880 rfyzcmqobpi.exe 3340 wxnidzvpnfbzcnauiqklb.exe 5884 rfyzcmqobpi.exe 3432 uthatnhzvlfbclwoagy.exe 6092 wxnidzvpnfbzcnauiqklb.exe 1612 rfyzcmqobpi.exe 2880 tpaqgxodwjatrxfu.exe 2936 hhwqkfatqhczblxqdkdd.exe 4976 axjarjbrlzrlkraqa.exe 2312 wxnidzvpnfbzcnauiqklb.exe 408 axjarjbrlzrlkraqa.exe 3348 rfyzcmqobpi.exe 3200 jhumexqhcrkffnxoze.exe 4316 hhwqkfatqhczblxqdkdd.exe 6012 rfyzcmqobpi.exe 6140 wxnidzvpnfbzcnauiqklb.exe 5344 rfyzcmqobpi.exe 4532 tpaqgxodwjatrxfu.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc whhmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power whhmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys whhmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc whhmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager whhmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys whhmr.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "uthatnhzvlfbclwoagy.exe ." whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "hhwqkfatqhczblxqdkdd.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "hhwqkfatqhczblxqdkdd.exe" whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "wxnidzvpnfbzcnauiqklb.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "uthatnhzvlfbclwoagy.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axjarjbrlzrlkraqa.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "tpaqgxodwjatrxfu.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "jhumexqhcrkffnxoze.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhumexqhcrkffnxoze.exe ." whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "jhumexqhcrkffnxoze.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oflwhtfpdlx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uthatnhzvlfbclwoagy.exe ." whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tpaqgxodwjatrxfu.exe ." rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "axjarjbrlzrlkraqa.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe ." whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\htuagn = "hhwqkfatqhczblxqdkdd.exe" whhmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldkwivitiret = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\uhjqxfn = "hhwqkfatqhczblxqdkdd.exe ." whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tjoyitenah = "tpaqgxodwjatrxfu.exe ." whhmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hhwqkfatqhczblxqdkdd.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aptclvfnz = "uthatnhzvlfbclwoagy.exe" rfyzcmqobpi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\htuagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wxnidzvpnfbzcnauiqklb.exe" rfyzcmqobpi.exe -
Checks whether UAC is enabled 1 TTPs 48 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whhmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rfyzcmqobpi.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whhmr.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 www.whatismyip.ca 33 www.whatismyip.ca 34 whatismyip.everdot.org 39 www.whatismyip.ca 41 whatismyip.everdot.org 15 whatismyipaddress.com 18 www.showmyipaddress.com 24 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe whhmr.exe File created C:\Windows\SysWOW64\yfbcdfhhljlpypiicqqxtuv.zzd whhmr.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe whhmr.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt whhmr.exe File opened for modification C:\Windows\SysWOW64\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\SysWOW64\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd whhmr.exe File created C:\Program Files (x86)\yfbcdfhhljlpypiicqqxtuv.zzd whhmr.exe File opened for modification C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt whhmr.exe File created C:\Program Files (x86)\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt whhmr.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe whhmr.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File created C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd whhmr.exe File opened for modification C:\Windows\ldkwivitiretnptejitlseqdqbqzmbvxbm.qbt whhmr.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe whhmr.exe File opened for modification C:\Windows\yfbcdfhhljlpypiicqqxtuv.zzd whhmr.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe whhmr.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\npgcyvsnmfcbfrfapytvmi.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\hhwqkfatqhczblxqdkdd.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\axjarjbrlzrlkraqa.exe rfyzcmqobpi.exe File opened for modification C:\Windows\wxnidzvpnfbzcnauiqklb.exe rfyzcmqobpi.exe File opened for modification C:\Windows\uthatnhzvlfbclwoagy.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe whhmr.exe File opened for modification C:\Windows\jhumexqhcrkffnxoze.exe whhmr.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe File opened for modification C:\Windows\tpaqgxodwjatrxfu.exe rfyzcmqobpi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whhmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axjarjbrlzrlkraqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxnidzvpnfbzcnauiqklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpaqgxodwjatrxfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhwqkfatqhczblxqdkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhumexqhcrkffnxoze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uthatnhzvlfbclwoagy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 6060 whhmr.exe 6060 whhmr.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 6060 whhmr.exe 6060 whhmr.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 6060 whhmr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4268 wrote to memory of 5688 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 88 PID 4268 wrote to memory of 5688 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 88 PID 4268 wrote to memory of 5688 4268 JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe 88 PID 4708 wrote to memory of 4968 4708 cmd.exe 91 PID 4708 wrote to memory of 4968 4708 cmd.exe 91 PID 4708 wrote to memory of 4968 4708 cmd.exe 91 PID 5040 wrote to memory of 3648 5040 cmd.exe 94 PID 5040 wrote to memory of 3648 5040 cmd.exe 94 PID 5040 wrote to memory of 3648 5040 cmd.exe 94 PID 3648 wrote to memory of 4964 3648 jhumexqhcrkffnxoze.exe 99 PID 3648 wrote to memory of 4964 3648 jhumexqhcrkffnxoze.exe 99 PID 3648 wrote to memory of 4964 3648 jhumexqhcrkffnxoze.exe 99 PID 4908 wrote to memory of 5400 4908 cmd.exe 100 PID 4908 wrote to memory of 5400 4908 cmd.exe 100 PID 4908 wrote to memory of 5400 4908 cmd.exe 100 PID 5088 wrote to memory of 4140 5088 cmd.exe 105 PID 5088 wrote to memory of 4140 5088 cmd.exe 105 PID 5088 wrote to memory of 4140 5088 cmd.exe 105 PID 5252 wrote to memory of 4328 5252 cmd.exe 108 PID 5252 wrote to memory of 4328 5252 cmd.exe 108 PID 5252 wrote to memory of 4328 5252 cmd.exe 108 PID 6140 wrote to memory of 4796 6140 cmd.exe 109 PID 6140 wrote to memory of 4796 6140 cmd.exe 109 PID 6140 wrote to memory of 4796 6140 cmd.exe 109 PID 4140 wrote to memory of 2380 4140 uthatnhzvlfbclwoagy.exe 110 PID 4140 wrote to memory of 2380 4140 uthatnhzvlfbclwoagy.exe 110 PID 4140 wrote to memory of 2380 4140 uthatnhzvlfbclwoagy.exe 110 PID 4796 wrote to memory of 5300 4796 uthatnhzvlfbclwoagy.exe 179 PID 4796 wrote to memory of 5300 4796 uthatnhzvlfbclwoagy.exe 179 PID 4796 wrote to memory of 5300 4796 uthatnhzvlfbclwoagy.exe 179 PID 2152 wrote to memory of 1432 2152 cmd.exe 116 PID 2152 wrote to memory of 1432 2152 cmd.exe 116 PID 2152 wrote to memory of 1432 2152 cmd.exe 116 PID 2856 wrote to memory of 1860 2856 cmd.exe 118 PID 2856 wrote to memory of 1860 2856 cmd.exe 118 PID 2856 wrote to memory of 1860 2856 cmd.exe 118 PID 1860 wrote to memory of 1520 1860 tpaqgxodwjatrxfu.exe 119 PID 1860 wrote to memory of 1520 1860 tpaqgxodwjatrxfu.exe 119 PID 1860 wrote to memory of 1520 1860 tpaqgxodwjatrxfu.exe 119 PID 5688 wrote to memory of 6060 5688 rfyzcmqobpi.exe 121 PID 5688 wrote to memory of 6060 5688 rfyzcmqobpi.exe 121 PID 5688 wrote to memory of 6060 5688 rfyzcmqobpi.exe 121 PID 5688 wrote to memory of 4484 5688 rfyzcmqobpi.exe 122 PID 5688 wrote to memory of 4484 5688 rfyzcmqobpi.exe 122 PID 5688 wrote to memory of 4484 5688 rfyzcmqobpi.exe 122 PID 6080 wrote to memory of 1236 6080 cmd.exe 287 PID 6080 wrote to memory of 1236 6080 cmd.exe 287 PID 6080 wrote to memory of 1236 6080 cmd.exe 287 PID 2924 wrote to memory of 5828 2924 cmd.exe 130 PID 2924 wrote to memory of 5828 2924 cmd.exe 130 PID 2924 wrote to memory of 5828 2924 cmd.exe 130 PID 2392 wrote to memory of 3268 2392 cmd.exe 131 PID 2392 wrote to memory of 3268 2392 cmd.exe 131 PID 2392 wrote to memory of 3268 2392 cmd.exe 131 PID 3268 wrote to memory of 3124 3268 hhwqkfatqhczblxqdkdd.exe 136 PID 3268 wrote to memory of 3124 3268 hhwqkfatqhczblxqdkdd.exe 136 PID 3268 wrote to memory of 3124 3268 hhwqkfatqhczblxqdkdd.exe 136 PID 3336 wrote to memory of 632 3336 cmd.exe 137 PID 3336 wrote to memory of 632 3336 cmd.exe 137 PID 3336 wrote to memory of 632 3336 cmd.exe 137 PID 5892 wrote to memory of 5716 5892 cmd.exe 142 PID 5892 wrote to memory of 5716 5892 cmd.exe 142 PID 5892 wrote to memory of 5716 5892 cmd.exe 142 PID 632 wrote to memory of 6088 632 uthatnhzvlfbclwoagy.exe 148 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whhmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" rfyzcmqobpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whhmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rfyzcmqobpi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\whhmr.exe"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\whhmr.exe"C:\Users\Admin\AppData\Local\Temp\whhmr.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_bbd7b871140426c0f77e65b9c18dbcf1.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵
- Executes dropped EXE
PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵
- Executes dropped EXE
PID:4328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6080 -
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵
- Executes dropped EXE
PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵
- Executes dropped EXE
PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Executes dropped EXE
PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5892 -
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵
- Executes dropped EXE
PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:1928
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:5888
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵
- Executes dropped EXE
PID:5696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:532
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵
- Executes dropped EXE
PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6040 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:5024
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:6096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Executes dropped EXE
PID:624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- Executes dropped EXE
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1808
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵
- Executes dropped EXE
PID:1280
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:4056
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵
- Executes dropped EXE
PID:1192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:1216
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4012
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Executes dropped EXE
PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵
- Executes dropped EXE
PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵
- Executes dropped EXE
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵
- Executes dropped EXE
PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:1388
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1820
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:2632
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:4664
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵
- Executes dropped EXE
PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:6116
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵
- Executes dropped EXE
PID:408 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵
- Executes dropped EXE
PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4948
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵
- Executes dropped EXE
PID:3200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4840
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Executes dropped EXE
PID:5344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:2876
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6140 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:6024
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5964
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4324
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:3040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5556
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:960 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:3016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:1248
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:1264
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4876
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:4140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:4976
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:2480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:5260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:4372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:3988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6140
-
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4916
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:5288
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:6104
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5608
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:5048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:2700
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:5884
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:5584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4700
-
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:1224
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
PID:404 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:6056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:1728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4876
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:3852
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:1064
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:4532
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:3820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:4344
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:4100
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:3744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:5224
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5452
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:1220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5836
-
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:3476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3384
-
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:5472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4048
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5208
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:5348
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:2304
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:4192
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:5688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:2572
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:3672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5436
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:728 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:2744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:5760
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:3852
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:1084
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:676 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:4324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:3208
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:4224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:3196
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:4968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:1628
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:5828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:2100
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:3880
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:4016
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:536
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5408
-
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5976
-
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1264
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5752
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:1924
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:624
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:4092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:552 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4892
-
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:3352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:2348
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:4344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:3040
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:2560
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:3956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:3640
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:5980
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6056 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:3944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4556
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:1068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:4836
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:3912
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5516
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:4172
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:1580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5200
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:624 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:2636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:5320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1896
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:2136
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:5684
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:1500
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:224 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:4756
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5584
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:5196
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:2364
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:2516
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:632
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:1368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:5996
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:6104
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:5332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:1004
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:2784
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:3948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:5308 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:3744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4220
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:1076
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:1364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:5300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:3700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:6092
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:4052
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:2880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:4700
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:1388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5788
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:1376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4628
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:5400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:4100
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:4284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:4604
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:5872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:1276
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:540
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:5216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:1500
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:3912
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵
- Checks computer location settings
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:3432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:2988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6084
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:5188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1364
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:4328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:5868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:2808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:552 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2856
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:3528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6016
-
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:3552
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:536
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:5428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1636
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:4284
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:3352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:1196
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:4060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5036
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵
- Checks computer location settings
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:4600
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:4140
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:1556
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:4528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:3152
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:4828
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:960
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:3196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4328
-
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:1940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:3460
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:2356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5300
-
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:3012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4952
-
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:5024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:4960
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:5920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:2520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5688
-
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:3852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:4660
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:4316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:2712
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:2508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:2632
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:4800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:1516
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:2636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:6068
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:6056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:3596
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:3424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:5188
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:936
-
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:4620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5920
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:3340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:408
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:968
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:1568
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:2012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:5036
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe2⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:4136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:5752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3056
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:544
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:5472
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:3532
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:3172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:2244
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:3040
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:3912
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:4860
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:3012
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4448
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:4464
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:5172
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:5788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:4840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5756
-
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:1924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:5856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4564
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:1868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:1568
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:5672
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:4988
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:2496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6096
-
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:2152
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:5280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5884
-
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe1⤵PID:676
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe2⤵PID:1672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnidzvpnfbzcnauiqklb.exe .1⤵PID:3164
-
C:\Windows\wxnidzvpnfbzcnauiqklb.exewxnidzvpnfbzcnauiqklb.exe .2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:376
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:5412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:4000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:6056
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:5112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:6012
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5724
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:5376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:4704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:4960
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:6052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:5576
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:1224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1892
-
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4696
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:5752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe1⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:6000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .1⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe .2⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\wxnidzvpnfbzcnauiqklb.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:648
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:4008
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:2632
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:3868
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:4380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:3616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:4632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:316
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:4640
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:3928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:3864
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:408
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:5332
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:6008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:384
-
C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exeC:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\uthatnhzvlfbclwoagy.exe*."3⤵PID:4948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:4016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:620
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:2164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:1624
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:1628
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4960
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:2116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:1892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:4992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe2⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:1456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:6028
-
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:5396
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe .1⤵PID:5484
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tpaqgxodwjatrxfu.exe*."3⤵PID:3908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:1488
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:2600
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:4596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:3952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .1⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exeC:\Users\Admin\AppData\Local\Temp\axjarjbrlzrlkraqa.exe .2⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\axjarjbrlzrlkraqa.exe*."3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:5096
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:5268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:1552
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe1⤵PID:1220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3196
-
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe1⤵PID:5064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3156
-
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe2⤵PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe .1⤵PID:4640
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe .2⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\hhwqkfatqhczblxqdkdd.exe*."3⤵PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:1276
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tpaqgxodwjatrxfu.exe1⤵PID:4684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3944
-
-
C:\Windows\tpaqgxodwjatrxfu.exetpaqgxodwjatrxfu.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe1⤵PID:5768
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe2⤵PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5332
-
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthatnhzvlfbclwoagy.exe .1⤵PID:4220
-
C:\Windows\uthatnhzvlfbclwoagy.exeuthatnhzvlfbclwoagy.exe .2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\uthatnhzvlfbclwoagy.exe*."3⤵PID:744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjarjbrlzrlkraqa.exe .1⤵PID:5800
-
C:\Windows\axjarjbrlzrlkraqa.exeaxjarjbrlzrlkraqa.exe .2⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\axjarjbrlzrlkraqa.exe*."3⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:5360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe .2⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\tpaqgxodwjatrxfu.exe*."3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe1⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exeC:\Users\Admin\AppData\Local\Temp\tpaqgxodwjatrxfu.exe2⤵PID:5132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hhwqkfatqhczblxqdkdd.exe1⤵PID:2096
-
C:\Windows\hhwqkfatqhczblxqdkdd.exehhwqkfatqhczblxqdkdd.exe2⤵PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:3816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhumexqhcrkffnxoze.exe .1⤵PID:4284
-
C:\Windows\jhumexqhcrkffnxoze.exejhumexqhcrkffnxoze.exe .2⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\jhumexqhcrkffnxoze.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exeC:\Users\Admin\AppData\Local\Temp\wxnidzvpnfbzcnauiqklb.exe2⤵PID:5308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe1⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe2⤵PID:4012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .1⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exeC:\Users\Admin\AppData\Local\Temp\hhwqkfatqhczblxqdkdd.exe .2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exeC:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jhumexqhcrkffnxoze.exe*."3⤵PID:5676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhumexqhcrkffnxoze.exe1⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uthatnhzvlfbclwoagy.exe .1⤵PID:1496
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD52e3d36e67888255e81d42a7a2ee99f33
SHA1c4ae8426543eb8ab823a66953c7925a86578f96a
SHA256a2f7618d0320242e907106ff3b41e6ab4a21bfa23d2c8ba3e692756fe61ff3d9
SHA512552344e546e019eeff9f6f689651c56f5030e4ccb6a20064b6a994733c02798553c1974ef5ca255f62288a184a50af31c7111b939eb83ff66ede0bd73c254537
-
Filesize
280B
MD5e1de8676ad80893e57a4fc4fbbccc99b
SHA1cc9c57abf5289bf7cf1edf262b6e38c78201be70
SHA256f200885998e7f72bd2b81968db7b29bf67950d0520d206b17de7fcafaa4a7478
SHA51274c65539d7ccd72440df26902cfaa6cf13d91814485edbbb7044ae404cbe55d8bddb9519c9d9b18286a0279b1345f33a6820acc7fa26ed9601eec35e7ed100cc
-
Filesize
280B
MD5e16243ab4bfdd9863ac814d6a98eeee4
SHA159fbfd444729f6385e54baa3e51e93b52be719e2
SHA2566b8150a511584bb6415700707abcaede53c6a1b098842e369f0efce19d47cab4
SHA512146b398c880f0a60849668776fa9922388c53d0dcd43b4a60b2f08956a2e4efdaef3b26b3fab71a675edd0040826e4d1ab74bac749f98f5f343a40ff9cefd43c
-
Filesize
280B
MD5036947fa848999b46e716e77f12162f5
SHA193a98886d66b09a92db40bc19ca183697d9e8654
SHA256ca5b542a622bae59d9be14eb816dd259fa403ff7e683b30303cf4b01de491f5c
SHA5127924a67d74e2dd7aa7553ddca4b8cfc55d272d793ee731ffbf76b89a7b8f888d1e6634d76a9d1766413c786ae3824361301aff68adca5d406fe8d5e8603e67cc
-
Filesize
320KB
MD51bfab26466074e48dbf0d35886b0929d
SHA1849d8dc497d1ba446ba748e9e579885573f7247a
SHA2568d366cb18fdc73a1f5247e36ae1a049a2f04ca997a2c982d4785b1b263023511
SHA512c126cfdd6281805cc7ac0d269981e616f89d66021876370cc75581cf329573095329919738d51a163e2b3399876bf6413348a4ebac9e14e96ccd07ecc1def0d8
-
Filesize
732KB
MD52ef8661866c21e2bd6d43351fb4d9021
SHA19c1788f29cabe212af943e1b73ab5c7bcbfb9aaa
SHA2567c2d79e1f350f1f0a9f34ddb7f3944ba06e7a7c59480cd3feb705093286c9115
SHA5121ce99538aee6aa4a4972abdcbfaecb36bf8d9cd2c92520ab3308dbbf467f0a4f737fc370c8127f3f03f34f3f82c368a508180d016d3319f6146d002b22a16807
-
Filesize
4KB
MD562fd636fe768981cc8279437a0a76594
SHA1fbde71dd35f1a5d6e180eeeb75afa99efe8559af
SHA2562f4418ebdc18ddd5d10eee073cfb128054e833b75ae645a5ad1fbebf0beb133e
SHA5121798ed912de4f4d8bf1c870c9ec1b56c953b3836d702a790ae7d3f244aeed01d86cc0057b7ba91c685a34feacb971625b130a2f9cccda8f5eb976de16c49a922
-
Filesize
280B
MD5c0a9e3512d04736fcedeac2493480e12
SHA17dc964fcf841e63b0d15b09baad440361e47b22d
SHA256c69a5a336cf04f8273e18e47d69dc45272679ae83b1e34806b1e2617f799d502
SHA512be5ad815b667e09a4e5a630b5c149e08101d6cc418f92ad1033101bf6ce5d5c60dda196331606c0b27f873f99074c79444685bf3a42d7d045b9b3cf6f638c234
-
Filesize
968KB
MD5bbd7b871140426c0f77e65b9c18dbcf1
SHA1f107fdc5b346882994efb09ba63b85e696679e4d
SHA2562e69cd89b60105229d7465e33802b3ff410aa6c470320732b23b88fa48572f9b
SHA512c30ec761442c26b0f8c86eae2aebbd09c864a2587a27ca300b7c4669eb91efd88a2a05aae21020ae3c08ba690f472a551bc85b9d83967160758aaa3c9c6ff322