Analysis
-
max time kernel
41s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2025, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe
-
Size
488KB
-
MD5
bc2c2e6019e42289641123c2db3584dc
-
SHA1
e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
-
SHA256
9223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
-
SHA512
f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b
-
SSDEEP
6144:tto07dgp0+5+ylPtRIQdS6VjKQ8tQYtagbr4rPYyUQTB2I/51pftDKHpDbU69SWX:jo07g+aP5KR5EJUQTB2OfDKC7WccSop
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" myjtkkdhwit.exe -
Pykspa family
-
UAC bypass 3 TTPs 28 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023710-4.dat family_pykspa behavioral1/files/0x000a00000001eb9d-83.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "mbanjyuiangypnuufg.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "zrtjiazqlbxsmnxaoskmc.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "drpbwkfsjvneurxwg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "kbcrpgeuodyslluwjmde.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "mbanjyuiangypnuufg.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "zrtjiazqlbxsmnxaoskmc.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "xnnbyolathbumltugiy.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knablo = "kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe Set value (int) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation myjtkkdhwit.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation mbanjyuiangypnuufg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation kbcrpgeuodyslluwjmde.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation wjgrlyseufwmbxca.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation xnnbyolathbumltugiy.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation drpbwkfsjvneurxwg.exe Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation zrtjiazqlbxsmnxaoskmc.exe -
Executes dropped EXE 64 IoCs
pid Process 4716 myjtkkdhwit.exe 4392 mbanjyuiangypnuufg.exe 4664 kbcrpgeuodyslluwjmde.exe 2280 myjtkkdhwit.exe 4736 zrtjiazqlbxsmnxaoskmc.exe 4624 zrtjiazqlbxsmnxaoskmc.exe 4660 drpbwkfsjvneurxwg.exe 1376 myjtkkdhwit.exe 5968 xnnbyolathbumltugiy.exe 5076 myjtkkdhwit.exe 2336 xnnbyolathbumltugiy.exe 2592 drpbwkfsjvneurxwg.exe 4968 myjtkkdhwit.exe 5956 knablo.exe 4892 knablo.exe 1312 kbcrpgeuodyslluwjmde.exe 5128 mbanjyuiangypnuufg.exe 2476 wjgrlyseufwmbxca.exe 4632 zrtjiazqlbxsmnxaoskmc.exe 212 myjtkkdhwit.exe 1264 myjtkkdhwit.exe 464 kbcrpgeuodyslluwjmde.exe 760 xnnbyolathbumltugiy.exe 5708 mbanjyuiangypnuufg.exe 5912 xnnbyolathbumltugiy.exe 1116 myjtkkdhwit.exe 6024 zrtjiazqlbxsmnxaoskmc.exe 4052 kbcrpgeuodyslluwjmde.exe 2132 xnnbyolathbumltugiy.exe 5440 myjtkkdhwit.exe 5724 wjgrlyseufwmbxca.exe 4308 myjtkkdhwit.exe 4412 myjtkkdhwit.exe 4560 drpbwkfsjvneurxwg.exe 4556 zrtjiazqlbxsmnxaoskmc.exe 4788 zrtjiazqlbxsmnxaoskmc.exe 4736 kbcrpgeuodyslluwjmde.exe 6060 myjtkkdhwit.exe 2340 myjtkkdhwit.exe 4676 mbanjyuiangypnuufg.exe 860 mbanjyuiangypnuufg.exe 4580 myjtkkdhwit.exe 6044 xnnbyolathbumltugiy.exe 2116 zrtjiazqlbxsmnxaoskmc.exe 2156 myjtkkdhwit.exe 3416 drpbwkfsjvneurxwg.exe 852 zrtjiazqlbxsmnxaoskmc.exe 3348 myjtkkdhwit.exe 5692 mbanjyuiangypnuufg.exe 952 drpbwkfsjvneurxwg.exe 6112 myjtkkdhwit.exe 2000 zrtjiazqlbxsmnxaoskmc.exe 3560 mbanjyuiangypnuufg.exe 4116 mbanjyuiangypnuufg.exe 4800 myjtkkdhwit.exe 5936 zrtjiazqlbxsmnxaoskmc.exe 872 xnnbyolathbumltugiy.exe 384 zrtjiazqlbxsmnxaoskmc.exe 5304 myjtkkdhwit.exe 760 wjgrlyseufwmbxca.exe 1996 zrtjiazqlbxsmnxaoskmc.exe 3540 wjgrlyseufwmbxca.exe 2448 zrtjiazqlbxsmnxaoskmc.exe 4356 myjtkkdhwit.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc knablo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power knablo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys knablo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc knablo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager knablo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys knablo.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe ." knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "xnnbyolathbumltugiy.exe" knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe ." knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "mbanjyuiangypnuufg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "mbanjyuiangypnuufg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "mbanjyuiangypnuufg.exe" knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "xnnbyolathbumltugiy.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "kbcrpgeuodyslluwjmde.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "kbcrpgeuodyslluwjmde.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "mbanjyuiangypnuufg.exe" knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "drpbwkfsjvneurxwg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "wjgrlyseufwmbxca.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "drpbwkfsjvneurxwg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "mbanjyuiangypnuufg.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "mbanjyuiangypnuufg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "drpbwkfsjvneurxwg.exe ." knablo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbprcgr = "kbcrpgeuodyslluwjmde.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbanjyuiangypnuufg.exe ." knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "xnnbyolathbumltugiy.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "zrtjiazqlbxsmnxaoskmc.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "wjgrlyseufwmbxca.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbcrpgeuodyslluwjmde.exe ." knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "kbcrpgeuodyslluwjmde.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjgrlyseufwmbxca.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zbnnw = "xnnbyolathbumltugiy.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrtjiazqlbxsmnxaoskmc.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mrgjvamq = "kbcrpgeuodyslluwjmde.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\djzdqwjox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnnbyolathbumltugiy.exe ." myjtkkdhwit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qrcb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" knablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wduznuioyd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drpbwkfsjvneurxwg.exe" myjtkkdhwit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qrcb = "xnnbyolathbumltugiy.exe" knablo.exe -
Checks whether UAC is enabled 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA knablo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA myjtkkdhwit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" knablo.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 53 www.whatismyip.ca 12 www.showmyipaddress.com 21 whatismyipaddress.com 44 www.whatismyip.ca 52 www.whatismyip.ca -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\oxqxnwmugnamxpqkpktmtjsiqcjwitlmgl.pip knablo.exe File created C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe knablo.exe File created C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe knablo.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe knablo.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe knablo.exe File opened for modification C:\Windows\SysWOW64\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe knablo.exe File created C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe knablo.exe File created C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe knablo.exe File created C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File created C:\Windows\SysWOW64\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\SysWOW64\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\bzhdiglijfhiipfoisqyuzx.zaw knablo.exe File opened for modification C:\Program Files (x86)\oxqxnwmugnamxpqkpktmtjsiqcjwitlmgl.pip knablo.exe File created C:\Program Files (x86)\oxqxnwmugnamxpqkpktmtjsiqcjwitlmgl.pip knablo.exe File opened for modification C:\Program Files (x86)\bzhdiglijfhiipfoisqyuzx.zaw knablo.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe knablo.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe knablo.exe File created C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe knablo.exe File created C:\Windows\oxqxnwmugnamxpqkpktmtjsiqcjwitlmgl.pip knablo.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File created C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe knablo.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe knablo.exe File opened for modification C:\Windows\oxqxnwmugnamxpqkpktmtjsiqcjwitlmgl.pip knablo.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File created C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\zrtjiazqlbxsmnxaoskmc.exe myjtkkdhwit.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\wjgrlyseufwmbxca.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File opened for modification C:\Windows\kbcrpgeuodyslluwjmde.exe myjtkkdhwit.exe File opened for modification C:\Windows\drpbwkfsjvneurxwg.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\xnnbyolathbumltugiy.exe myjtkkdhwit.exe File opened for modification C:\Windows\qjmddwwokbyuprcgvatwnn.exe myjtkkdhwit.exe File created C:\Windows\mbanjyuiangypnuufg.exe myjtkkdhwit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnnbyolathbumltugiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myjtkkdhwit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbanjyuiangypnuufg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbcrpgeuodyslluwjmde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpbwkfsjvneurxwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language knablo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjgrlyseufwmbxca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zrtjiazqlbxsmnxaoskmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5956 knablo.exe 5956 knablo.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 5956 knablo.exe 5956 knablo.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5956 knablo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4716 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 90 PID 2720 wrote to memory of 4716 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 90 PID 2720 wrote to memory of 4716 2720 JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe 90 PID 4340 wrote to memory of 4392 4340 cmd.exe 93 PID 4340 wrote to memory of 4392 4340 cmd.exe 93 PID 4340 wrote to memory of 4392 4340 cmd.exe 93 PID 4488 wrote to memory of 4664 4488 cmd.exe 96 PID 4488 wrote to memory of 4664 4488 cmd.exe 96 PID 4488 wrote to memory of 4664 4488 cmd.exe 96 PID 4664 wrote to memory of 2280 4664 kbcrpgeuodyslluwjmde.exe 99 PID 4664 wrote to memory of 2280 4664 kbcrpgeuodyslluwjmde.exe 99 PID 4664 wrote to memory of 2280 4664 kbcrpgeuodyslluwjmde.exe 99 PID 5776 wrote to memory of 4736 5776 cmd.exe 176 PID 5776 wrote to memory of 4736 5776 cmd.exe 176 PID 5776 wrote to memory of 4736 5776 cmd.exe 176 PID 5020 wrote to memory of 4624 5020 cmd.exe 105 PID 5020 wrote to memory of 4624 5020 cmd.exe 105 PID 5020 wrote to memory of 4624 5020 cmd.exe 105 PID 4212 wrote to memory of 4660 4212 cmd.exe 108 PID 4212 wrote to memory of 4660 4212 cmd.exe 108 PID 4212 wrote to memory of 4660 4212 cmd.exe 108 PID 4624 wrote to memory of 1376 4624 zrtjiazqlbxsmnxaoskmc.exe 109 PID 4624 wrote to memory of 1376 4624 zrtjiazqlbxsmnxaoskmc.exe 109 PID 4624 wrote to memory of 1376 4624 zrtjiazqlbxsmnxaoskmc.exe 109 PID 4576 wrote to memory of 5968 4576 cmd.exe 110 PID 4576 wrote to memory of 5968 4576 cmd.exe 110 PID 4576 wrote to memory of 5968 4576 cmd.exe 110 PID 5968 wrote to memory of 5076 5968 xnnbyolathbumltugiy.exe 111 PID 5968 wrote to memory of 5076 5968 xnnbyolathbumltugiy.exe 111 PID 5968 wrote to memory of 5076 5968 xnnbyolathbumltugiy.exe 111 PID 5604 wrote to memory of 2336 5604 cmd.exe 193 PID 5604 wrote to memory of 2336 5604 cmd.exe 193 PID 5604 wrote to memory of 2336 5604 cmd.exe 193 PID 2480 wrote to memory of 2592 2480 cmd.exe 117 PID 2480 wrote to memory of 2592 2480 cmd.exe 117 PID 2480 wrote to memory of 2592 2480 cmd.exe 117 PID 2592 wrote to memory of 4968 2592 drpbwkfsjvneurxwg.exe 118 PID 2592 wrote to memory of 4968 2592 drpbwkfsjvneurxwg.exe 118 PID 2592 wrote to memory of 4968 2592 drpbwkfsjvneurxwg.exe 118 PID 4716 wrote to memory of 5956 4716 myjtkkdhwit.exe 121 PID 4716 wrote to memory of 5956 4716 myjtkkdhwit.exe 121 PID 4716 wrote to memory of 5956 4716 myjtkkdhwit.exe 121 PID 4716 wrote to memory of 4892 4716 myjtkkdhwit.exe 122 PID 4716 wrote to memory of 4892 4716 myjtkkdhwit.exe 122 PID 4716 wrote to memory of 4892 4716 myjtkkdhwit.exe 122 PID 5636 wrote to memory of 1312 5636 cmd.exe 125 PID 5636 wrote to memory of 1312 5636 cmd.exe 125 PID 5636 wrote to memory of 1312 5636 cmd.exe 125 PID 5556 wrote to memory of 5128 5556 cmd.exe 221 PID 5556 wrote to memory of 5128 5556 cmd.exe 221 PID 5556 wrote to memory of 5128 5556 cmd.exe 221 PID 4800 wrote to memory of 2476 4800 cmd.exe 131 PID 4800 wrote to memory of 2476 4800 cmd.exe 131 PID 4800 wrote to memory of 2476 4800 cmd.exe 131 PID 5664 wrote to memory of 4632 5664 cmd.exe 134 PID 5664 wrote to memory of 4632 5664 cmd.exe 134 PID 5664 wrote to memory of 4632 5664 cmd.exe 134 PID 2476 wrote to memory of 212 2476 wjgrlyseufwmbxca.exe 334 PID 2476 wrote to memory of 212 2476 wjgrlyseufwmbxca.exe 334 PID 2476 wrote to memory of 212 2476 wjgrlyseufwmbxca.exe 334 PID 4632 wrote to memory of 1264 4632 zrtjiazqlbxsmnxaoskmc.exe 140 PID 4632 wrote to memory of 1264 4632 zrtjiazqlbxsmnxaoskmc.exe 140 PID 4632 wrote to memory of 1264 4632 zrtjiazqlbxsmnxaoskmc.exe 140 PID 4032 wrote to memory of 464 4032 cmd.exe 317 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" knablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" knablo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" myjtkkdhwit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" myjtkkdhwit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System myjtkkdhwit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2c2e6019e42289641123c2db3584dc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bc2c2e6019e42289641123c2db3584dc.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\knablo.exe"C:\Users\Admin\AppData\Local\Temp\knablo.exe" "-C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\knablo.exe"C:\Users\Admin\AppData\Local\Temp\knablo.exe" "-C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
PID:4392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵
- Executes dropped EXE
PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5776 -
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:1376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5968 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵
- Executes dropped EXE
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵
- Executes dropped EXE
PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵
- Executes dropped EXE
PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵
- Executes dropped EXE
PID:1312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
PID:5128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵
- Executes dropped EXE
PID:212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5664 -
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:3000
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵
- Executes dropped EXE
PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1812
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:2052
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵
- Executes dropped EXE
PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5724 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵
- Executes dropped EXE
PID:4308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵
- Executes dropped EXE
PID:4560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵
- Executes dropped EXE
PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:5216
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:4980
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:860 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵
- Executes dropped EXE
PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:4276
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵
- Executes dropped EXE
PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4952
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵
- Executes dropped EXE
PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5692
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:6112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2576
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:5996
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵
- Executes dropped EXE
PID:3560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5540
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵
- Executes dropped EXE
PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5128
-
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Executes dropped EXE
PID:5304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:1144
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:5272
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
PID:384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:5796
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵
- Executes dropped EXE
PID:4356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:5052
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:5060
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵
- Executes dropped EXE
PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:3348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:1848
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:3696
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:2756
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:4524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:4656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:860
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:6096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:2744
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2688
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:5276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:5440
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:5572
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:2700
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:760
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:1240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5708
-
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:5736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:4640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:4896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:6024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5912
-
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1552
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1868
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4196
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:2412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:5544
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:5408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5776
-
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:860
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1772
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:6100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:3348
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:6104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1780
-
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:5672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:1984
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:464
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:4744
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:5452
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
PID:760 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:2132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:5180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1036
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:3656
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:4384
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:4196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4344
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:4348
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:1332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:3492
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:6048
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:2004
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:388
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:4076
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:5140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:4588
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:380
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:5972
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:1476
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:5240
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:816 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:1896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:1312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:1336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:2176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4800
-
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:4608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:5448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:3392
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
PID:5204 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:4040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:4672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:6124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:5000
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:5592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:724
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:3992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:6008
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:5264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:2908
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:4232
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:5144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3836
-
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:1220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:4176
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:3824
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:3720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- Checks computer location settings
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:2068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:3376
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1996
-
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:4480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:5020
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:4672
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:1116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:1948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2776
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:5344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:4812
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:5932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3156
-
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:3916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:5448
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵
- Checks computer location settings
PID:848 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:4960
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1980
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:2796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:4588
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:1112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:4608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4896
-
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:3720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:1668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵
- Checks computer location settings
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4564
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:2760
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:3080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2968
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:5216
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:208
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵
- Checks computer location settings
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:6044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:5648
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵
- Checks computer location settings
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:5824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:212
-
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1812
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:4568
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:1768
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:1220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:5700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:3992
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:3940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:4208
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:6108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:3296
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:2688
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:2400
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4280
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:2280
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:404
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:4412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4980
-
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:4824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:4460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1664
-
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4396
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:4100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:5648
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:1728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:1140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1500
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:5136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:1432
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:3296
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:1036
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:3252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:2688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:992
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5904
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:4016
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:3560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2724
-
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1784
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:208
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:4344
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:5776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:1044
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:6084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:3068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1436
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:1468
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:2356
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:4236
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:3916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:3452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5584
-
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:4208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:2136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:5180
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:2916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:3720
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:2784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5672
-
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:1448
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:5320
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4232
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:3420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:464
-
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:1736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:5532
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:4660
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4564
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:5888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:3712
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:1648
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:4068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:6020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:1772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5344
-
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4080
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:5732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:2060
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:3288
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:1788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:2188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:1996
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:2508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4540
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1376
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:3540
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe1⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe2⤵PID:5480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:2788
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:2232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4404
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:5404
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4220
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:3276
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:5288
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:1356
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:1312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:2576
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:1380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:3516
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:1476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:6016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:4728
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:5824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4628
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:3004
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:3540
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:5792
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:712
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:2812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:5496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:4448
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:6128
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:5060
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:5896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:3384
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5884
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:5376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:1056
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe .2⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\drpbwkfsjvneurxwg.exe*."3⤵PID:5288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:2304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:1808
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1312
-
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:2544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4036
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:2388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:2768
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:6008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:6028
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5088
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:3068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:1160
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:4068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4656
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:6064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe2⤵PID:5440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:5976
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:1896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:548
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:3640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:5728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:5940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:4176
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe2⤵PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4452
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:1448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe1⤵PID:3756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4960
-
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:4444
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:3876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:4796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:4640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:4100
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:4036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:2052
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:3392
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:4980
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe .2⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\xnnbyolathbumltugiy.exe*."3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:5208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .2⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\drpbwkfsjvneurxwg.exe*."3⤵PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:2364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .2⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wjgrlyseufwmbxca.exe*."3⤵PID:1544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:3552
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:5960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:636
-
C:\Windows\zrtjiazqlbxsmnxaoskmc.exezrtjiazqlbxsmnxaoskmc.exe .2⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe1⤵PID:3276
-
C:\Windows\xnnbyolathbumltugiy.exexnnbyolathbumltugiy.exe2⤵PID:4056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:5720
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:4412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exeC:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:2916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:4576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .1⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe .2⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\xnnbyolathbumltugiy.exe*."3⤵PID:4800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:5324
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4356
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:1948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe1⤵PID:1308
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbanjyuiangypnuufg.exe .1⤵PID:3408
-
C:\Windows\mbanjyuiangypnuufg.exembanjyuiangypnuufg.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\mbanjyuiangypnuufg.exe*."3⤵PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe1⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe2⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .1⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exeC:\Users\Admin\AppData\Local\Temp\kbcrpgeuodyslluwjmde.exe .2⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:5480
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:2996
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:1616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:2604
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:5068
-
C:\Windows\wjgrlyseufwmbxca.exewjgrlyseufwmbxca.exe .2⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wjgrlyseufwmbxca.exe*."3⤵PID:6060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exeC:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .2⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\zrtjiazqlbxsmnxaoskmc.exe*."3⤵PID:4900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c jhuplyukeqfyqhfmmx.exe1⤵PID:1680
-
C:\Windows\jhuplyukeqfyqhfmmx.exejhuplyukeqfyqhfmmx.exe2⤵PID:2400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exeC:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe2⤵PID:5796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exeC:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe .2⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\mbanjyuiangypnuufg.exe*."3⤵PID:5636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c axjdykfunymevlion.exe .1⤵PID:4804
-
C:\Windows\axjdykfunymevlion.exeaxjdykfunymevlion.exe .2⤵PID:6112
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\axjdykfunymevlion.exe*."3⤵PID:4504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c uthdaolcxkaunfemnzy.exe1⤵PID:732
-
C:\Windows\uthdaolcxkaunfemnzy.exeuthdaolcxkaunfemnzy.exe2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wxnlkazspewsnhisvjklb.exe .1⤵PID:4056
-
C:\Windows\wxnlkazspewsnhisvjklb.exewxnlkazspewsnhisvjklb.exe .2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\wxnlkazspewsnhisvjklb.exe*."3⤵PID:404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:2600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3712
-
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exeC:\Users\Admin\AppData\Local\Temp\jhuplyukeqfyqhfmmx.exe2⤵PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe .1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exeC:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\users\admin\appdata\local\temp\wxnlkazspewsnhisvjklb.exe*."3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe .1⤵PID:4420
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe .2⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe"C:\Users\Admin\AppData\Local\Temp\myjtkkdhwit.exe" "c:\windows\kbcrpgeuodyslluwjmde.exe*."3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c kbcrpgeuodyslluwjmde.exe1⤵PID:4348
-
C:\Windows\kbcrpgeuodyslluwjmde.exekbcrpgeuodyslluwjmde.exe2⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:1524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe .1⤵PID:5180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe1⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exeC:\Users\Admin\AppData\Local\Temp\wxnlkazspewsnhisvjklb.exe2⤵PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe .1⤵PID:5892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exeC:\Users\Admin\AppData\Local\Temp\tpatnysgyivmcrns.exe .2⤵PID:5972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe1⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exeC:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe2⤵PID:1612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:2676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:2760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:2788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe1⤵PID:468
-
C:\Windows\drpbwkfsjvneurxwg.exedrpbwkfsjvneurxwg.exe2⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe1⤵PID:588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:4960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c xnnbyolathbumltugiy.exe .1⤵PID:5328
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:4444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjgrlyseufwmbxca.exe .1⤵PID:4864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\drpbwkfsjvneurxwg.exe .1⤵PID:5124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wjgrlyseufwmbxca.exe1⤵PID:992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drpbwkfsjvneurxwg.exe .1⤵PID:868
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mbanjyuiangypnuufg.exe1⤵PID:3648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnnbyolathbumltugiy.exe1⤵PID:6020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrtjiazqlbxsmnxaoskmc.exe .1⤵PID:2292
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268B
MD500b8f845024cd2feb0ffdd9108ae05b9
SHA11046e79173ba51887474ac1addb20e25562c5660
SHA2566c0a673146d96a143a140064f9ecf08d75b8295f3efdda9a65581918e7638df4
SHA5122a6b521508c14987823a8c1a43b60f1384bd338a58235de1602acb23ede4fb54c0e05008bc7736bd740fdaa1989c63518a5242eb5dc6dd53f3b1c9074adb48f4
-
Filesize
268B
MD5ec44eaf95d0f8db1e41fa67bcffb7b26
SHA140d129f160d1268cb4651ad0c03cec048b805895
SHA25653af6610eb266b7605342ead87ba39e3af29156121effccbadcc9c276c93a2a2
SHA5126ea98ec1602a1b912862067bb68c39c7672ca7afdab461dfb10a3cea6b6788a98cadd430d12ae4a2e33a88cdfb358a9d4ba7f9be218a2fe6533f6ed142fe9cf0
-
Filesize
268B
MD5dd0580b4ffb750aa059d10910c2383f7
SHA13c091fb5428e24ed0bc24be8e74a5d5f53c3022a
SHA256a4de47b4d0c204ea52bc1673357a27559566f09fbbda2de6bfc59bd2b54e1c20
SHA512316ba05d034a68d79f12e4e3af35836f4e6f77d3f8adfa7a443778699de92d1a1d3557ce9b53ea4dd12a9eacd4e9ce11c61615dd0f7b0a7006ff02882c3a76e4
-
Filesize
268B
MD5bdc42c30c77e6ed4948043c539f9ef43
SHA13e357656b7edf04bc2afa73a8d6337ee2db3e191
SHA256308073b5eca8f49866b535426e085feacc1e9c642a639567632d23aa719e77b5
SHA5123195b332ee92f91a5f363720b7b505a25b1f76b692fc2314e9af3576c70e6dd95b8c2f568e60110406bea705c68e59aa407052b1c814f23f9ff4b39b49c0e5f3
-
Filesize
268B
MD51e3c1ea6cc107016b2fd9af43313cc67
SHA1d94b3087efc4356138914a56142cf5564fdf338e
SHA2565435ce3e88b8426f22cc86fb00846649d894bb8ab7071519b6ffdaa627d1a014
SHA51255c2da45df8940aa313f4783e4fdbec0ce6c94ba288b6fbffd4977b95769fa79038029ee831585842ea6d1345a61666d785725701d83947b83d4cb2551fe599c
-
Filesize
268B
MD55d3c43fc2a24442d4c5baf7c73e2a2cf
SHA1b1bdd21417a94048c87b81284fc81b61a597ddb3
SHA256309b978137b147de35517ac75536a74500cdaf93a3b6fb798b709474760d5556
SHA5123d80fe9cb4f60ccf3b0779852c795fa310b1887f7887aa599847f1f5ca3f22375790c0d4ffa469fb37a5dbec97fec2f3ac8abebcb2fd21aa420b3eadce693e13
-
Filesize
740KB
MD503d71d9923f836cfc10cfd03be8075f5
SHA120d6bf258bb94df36260023a2d1bf49953e7e0b4
SHA2562b5bb2307024011817d2108b206656b9ce68c456986a2d3ee1c295b65c82db08
SHA512d551cbd021acb3eb7e04cf0accbad79d1f90d1e7cc17ece456fd6825adda3851293232289e124d938001e5c4b486f5c472f66d1f271afd9acf792aeac087ae6e
-
Filesize
320KB
MD588a3d7432ff5d5cee011047d7a3acb16
SHA19c5b95142911b292dc75e120545949a1dca72d12
SHA256fa10ed2990ca760fb82fc16facf3d805f1a12ee3a8e5a723844cc1a0e3b88fcb
SHA5123d0ff8fe2113ddb3f94bb4f041d7005e11681e4c912ce55f486722adef62df1bd36332fb489a2d61632980ba1f5a60dd8ef71697b21f199611b6010da3ca2147
-
Filesize
268B
MD5ae747c098f486e30205600a7f7886e0d
SHA14cb67e27f69ced2b97240d8464f96a3dd0e70ea4
SHA256d9db6a8d1ad22ec4ae9044c45a73ad5488cf42bd25725718892f1995c20dd96c
SHA512d48ad2017d3a065c8edd1e98e1166e5e5b37c0f51ad9a96d738edd2bc92009aa09197f0eadc8055fe56f2b7df28fc628547a2859d6211df8473a6f918906b559
-
Filesize
3KB
MD571a442dbd3c2e6ccb4dc9f76903a30df
SHA1d9110671f176f6f59db2f6d2a6c96a857a9a040d
SHA256b039b6e4be834465e8a7e1a8e89a3c36b58b2fca36f042ad06a62f28cac775f6
SHA5128e694d411b41623b8f6e12ca1ef875239a796c6e111eb9f0208e6b03521b5b7811f3723808878a703cbf8afba413761b05b78d1493b7fc8ca57247a8f6c4a99a
-
Filesize
488KB
MD5bc2c2e6019e42289641123c2db3584dc
SHA1e7b2c809bf63f0a3a362b2b5e4930a5a1b5c7d9b
SHA2569223f4748f528658ba3ac30515cf3ac1817677baaf345441d021e98ebd8891af
SHA512f31491a41da42f042c41060fa394c5fe36afcb9edb1507d1119936c9f26c79b5a90945393d532b817f1b8007989800e1b823766673f3704154b32cb4ae99af6b